Cyber risk should be a top priority for companies
Marsh, Microsoft survey reveals approach to threats
SAN JUAN — A new survey by insurance broker and risk adviser Marsh, and Microsoft Corp., which has one of the leading productivity platforms, reveals that cyber risk is among the top concerns of organizations and companies around the world, despite the fact that most of their management teams are unaware of the efforts by their own companies to prevent and manage attacks on their information systems.
The 2019 Cyber Risk Perception Survey reflects the related awareness and management approach of more than 1,500 companies, 531 of which are in Latin America.
According to the survey, about 80 percent of the organizations placed cyber risk among their top five concerns, compared with 62 percent in a similar survey done in 2017. However, only 11 percent of respondents expressed a high degree of confidence in their ability to assess cyber threats, prevent attacks and respond to them effectively. At the same time, there was a decrease in relation to the statistics presented three years ago, which was only 19 percent.
The survey also revealed that the strategic management of cyber risk continues to be a challenge for organizations, despite being a matter of high priority at the organizational level.
The study showed that nine out of 10 corporations, or 88 percent of respondents, identified their information technology and security departments as primarily responsible for preventing cyber-attacks.
On a smaller scale, almost two-thirds, or 65 percent of the organizations surveyed, identified senior management and the board as responsible in the company’s hierarchy to reduce cyber risk, followed by the area or department of risk management, with 49 percent.
According to the study, the discrepancy has to do with the time spent on the subject. Only 16 percent of the group that makes up senior management and board directors spend more than a few days addressing the matter, while more than half (51 percent) devote few hours or no time to it.
However, organizations continue to adopt new technologies, but are not sure of the risks they entail.
The survey revealed that 77 percent of respondents said they were adopting or have adopted cloud computing, functions, automated and robotic processes or artificial intelligence, but only 5 percent said they evaluate the cyber risk during the life of the technology, while 11 percent said they did not evaluate the risk at all.
The survey found that 67 percent of the investment on cyber risk for the next three years will focus on technology and mitigation, but not on all the elements that create resilience in the face of this growing and changing challenge.
“Companies are becoming increasingly aware of this problem, but they are not yet prioritizing their resources in building true resilience, that is, in identifying, quantifying, mitigating, transferring and planning their response in the event of an incident,” said Kristina Evans, head of the Marsh Cyber Risk team in Puerto Rico.
Many organizations invest in technology defenses instead of in preventing risk through assessment, planning and other risk management areas that build cyber resilience.
Evans noted that the survey found 64 percent of the organizations consulted mentioned that a cyberattack would trigger investment in cybersecurity.
“The harsh reality that organizations must face is that cyber risk cannot be eliminated. Therefore, it must be managed strategically from the first level of the organization,” the executive added.
“In the era of transformational technology and more interconnected supply chains, the cyber risk management practices and mindsets of yesterday no longer suffice and may actually inhibit innovation,” Joram Borenstein, general manager of the Cybersecurity Solutions Group at Microsoft, said in the announcing release. “It is incumbent upon senior leaders to focus on these issues for the welfare of their organizations, their customers, their employees, and beyond.”
Marsh said that the survey points to the following best practices that the most cyber-resilient firms employ and which all firms should consider adopting:
- Create a strong organizational cybersecurity culture, with clear, shared standards for governance, accountability, resources, and actions.
- Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
- Evaluate the cyber risk implications of new technology as a continual and forward-looking process throughout the lifecycle of the technology.
- Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
- Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.