by Marc Wilczek

Poor cyber resilience: an organization’s Achilles’ heel

Oct 15, 2019
Data BreachPrivacyRisk Management

Research reveals a marked disconnect between the concern over cyber-risk concerns and the overall approach to managing it.

cyber resilience shock absorber
Credit: Getty Images

Digital advances are recreating global business through ongoing advances in artificial intelligence, the Internet of Things (IoT), data availability, blockchain, and other key areas. The rapidity with which these technologies are evolving and reconfiguring traditional business models keeps increasing. Meanwhile, cyber-threats seem to develop just as fast, if not faster.

Today, cyber-risk is about far more than the data breaches and privacy concerns we’ve all heard about in the news. Now it involves maddeningly clever schemes that can disrupt entire companies, industries, supply chains, and nations, and cost the economy billions of dollars. No company, in any sector, is unaffected. The truth is, organizations must accept that cyber-risk can be mitigated, managed, and recovered from. But it’s impossible to escape from.  

That stark reality is outlined in the 2019 Global Cyber Risk Perception Survey, joint research conducted by Microsoft and insurance broker Marsh, based on a global poll of 1,500 business leaders. The survey finds that cyber-risk is now perched atop most corporate risk agendas. However, many organizations are still wrestling with how best to respond to cyber-risk in the context of their broader risk framework. This, even as an endless flood of technological advances introduces novel and undreamed-of cyber-risk concerns.

Growing awareness, declining confidence

Around the world, organizations are showing a worrisome disconnect between their acknowledgement of cyber-risk as a top-rank priority and the way they are dealing with it. Essentially, it seems that organizations are zeroing in more on technology and prevention than on setting aside the time, resources, and activities they need to build meaningful cyber-resilience.

Seventy-nine percent of respondents ranked cyber-risk as a top-five concern in their organization. This, in comparison to 62 percent in 2017. In fact, the number of firms that cited cyber-risk as their prime concern almost quadrupled, from 6 percent to 22 percent.

This year’s survey revealed a notable drop in the firms’ confidence in every cyber-resilience area that matters. These include understanding, assessing, and measuring potential cyber-risks; the ability to reduce the likelihood of cyber-attacks or avert potential damage; and managing, responding to, and recovering from adverse cyber-events. This year, a mere 11 percent of companies reported a high degree of confidence in all three aspects of cyber resilience.

Lax risk management

However, to some extent, this is a known pattern. Many executives still sit on their hands and act after they’re hit by a cyber-attack. Two-thirds (64 percent) of survey respondents said that a cyber-attack on their company would be the biggest driver of increased cyber-risk spending.

Too, in spite of the general enthusiasm for novel and evolving technologies and working methods, some survey respondents were unsure about how risky it was to actually use them. Only 36 percent assessed the risks before and after they adopted new technologies, and only 5 percent evaluate risks across the product’s full lifecycle. A whopping 11 percent don’t check anything out at all.

Cyber governance remains IT’s job

Although cyber-risk is one of the top organizational priorities, the degree to which firms are figuring out who takes ownership of cyber-risk and oversees risk management efforts doesn’t always line up with that ranking. Much of the time, the people who should be on top of it, or at least involved in it, are not. Information technology and information security departments are still viewed as the primary owners of cyber-risk management.

Nine out of ten respondents (88 percent) cited information technology/information security (IT/InfoSec) as one of the three main owners of cyber-risk management, followed by executive leadership/board (65 percent) and risk management (49 percent).

More airtime needed

There is a lot of opportunity to give risk management teams more say in cyber-risk agendas — but only about half of organizations said this was the case in 2019. Still, that’s much better than the 32 percent response of 2017, and indicates greater ownership by risk management. Generally, the ranking of boards, IT and risk managers as the main owners of cyber risk management is a good sign that the right people are leading the way. That said, that IT is still usually named as a primary owner nearly twice as often as risk management shows that corporate leaders still view cyber-risk as a technology matter, and not a critical business threat that requires a strategic, whole-company risk-management approach.

Less than 20 percent of senior leaders and board members spent more than a few days last year thinking hard about their cyber-risk exposure and what they should do to counter an active threat. Only 30 percent of the IT respondents said they spent only a few days or less doing the same thing. This low level of focus on the issue is worrisome, especially since these two constituencies are among the top three corporate owners of cyber-risk management.

As cyber-risks become more sophisticated and difficult to fight, the report’s findings show a positive trend. Enterprises are gradually starting to put best practices in cyber-risk management into place. Virtually everyone understands the magnitude of the risk.

That said, the 2019 survey shows there’s still a gulf between cyber risk’s ranking on the corporate risk agenda and the degree to which organizational cyber-risk management has evolved on the ground to deal with looming challenges.

It’s time that companies begin taking cyber-risk more seriously by directing real resources, and not more talk, towards the issue. More and more, business is inextricably tied to the digital world, from internal communications and supply chains, to sales and customer satisfaction. A successful cyber-attack can cripple or destroy a company’s brand and its reputation, not to mention wreak havoc on the bottom line. Consequently, doing what worked yesterday is no longer enough. Today, companies must shift their thinking from a focus on the security of their firm only and accept the reality that they are responsible for network security across the entire supply chain. Doing that effectively entails a wrap-around approach that includes risk assessment, measurement, mitigation, transfer, and planning. The combination of these elements that works best will depend on each company’s individual risk profile and risk tolerance.