Chubb research revealed that most companies are not fully prepared for internet security risks. Here's how to defend against this large and growing threat to business.
Businesses may well have cyber-attack response plans and policies that kick in when an incident occurs, but a survey of 250 companies across Europe has found that not everyone is fully aware of their responsibilities. Fewer than half of those who have suffered a notable cyber incident agree that everyone involved in the response knew what to do and that it went ahead as planned, according to the research published by Chubb in the report Bridging the cyber-risk gap.
The most significant factor in a business’s ability to limit the damage of a cyber event is how quickly it can respond. Yet the survey found that many companies are not confident that their incident response plans are up to scratch, or that they test and update them regularly. Worryingly, 55% say their organisation assumes it will never suffer a serious cyber incident. Equally concerning, as Kyle Bryant, Cyber Risk Manager for Europe at Chubb, notes: “Most conversations about cyber risk happen after an event, when obviously, they should be held long beforehand.
To contain an incident effectively, it is crucial that there is a strategic response. A key step, maintains Kyle, is to ensure that a company’s defence policy is the clearly defined responsibility of a single individual. “The lead could be taken by any of the departments for which it is a concern – IT, human resources, operations, risk management or the C-Suite. But whichever department is in charge is less important than the fact that there clearly is someone in charge.”
It’s Good to Talk
With the leadership role established, the next step, says Kyle, is to tackle what he calls “the great divide” between risk management and IT. Only 35% of companies surveyed for the report believe their organisation has good cross-departmental collaboration; and 18% concede that collaboration only happens in response to an imminent threat or following an attack. “To create consistency across the organisation, you have to start in the C-suite,” says Kyle. “You need a person of influence across the organisation who can break down the silos and ensure that cyber is treated as an enterprise risk.”
Understanding each other better will help bridge the divide, which is often at its widest when comes to how severe people estimate the risk to be. IT professionals are more concerned about the impact of a cyber event than their counterparts in the risk function. This divergence of views on the scope of the threat and how to tackle it can leave companies vulnerable.
“The reality is that many organisations find it extremely difficult to quantify the potential consequences of a cyber incident or attack,” explains Leon Adeyemi, a Chubb London Cyber Underwriter. “IT and risk are going to have to work together holistically to look at the various threats their organisations face and to assess the financial implications of such exposures.
Taking a more joined-up approach to risk management represents an organisation’s best chance to mitigate the danger effectively.”
Emphasising the need for better internal communication, Kyle points to a recent report from AIRMIC, the risk management and insurance organisation. “It observed that risk managers have to become more technically savvy. And IT managers can’t be in a silo of their own. Countering cyber attacks is a people process as well as technical process.”
Cyber-risk by the Numbers
Compared with their colleagues in risk, IT professionals tend to be more concerned about ‘the bad actors’: 42% cite the sophistication of hackers as worrying, compared with only 27% of their counterparts in the risk function. This is unsurprising: IT professionals are likely to be most aware of the evolving sophistication of hackers and the technologies they use to breach security. This knowledge appears to be increasing their wariness.
Yet both IT and risk should be looking closer to home: the workforce must be a clear priority for many organisations; 34% of risk respondents and 35% of IT respondents cited overall employee behaviour as the weakest link in their cyber defences. This was, by far, the biggest ‘weak link’ from both.
A fifth of IT professionals said that the integrity of their systems was the second-most cyber defence weakness, but those involved in risk said it was a business’s security software, highlighting risk’s inherent lack of faith in the technology they have defending them; 10% also said the monitoring of security software was a cyber risk, compared with 4% of their IT contemporaries.
Conversely, IT saw themselves and risk as more of a danger than risk did.
The survey found that IT professionals are more likely than their counterparts in the risk function to expect the impact of a cyber event to be severe. This is further evidence that not all organisations have reached a single view of the scope of the threat or how to tackle it, which can leave them vulnerable.
When asked what the fall out from an attack would be, 46% said market reputation would be severely affected. Just behind was the business’s relationship with customers, cited by 45%, followed by the direct expenses incurred, said by 36%. At the other end of the scale, 40% said there would be no real impact on the ability to employ or retain staff in the event of a cyber attack.
For more articles from Chubb UK, see Progress magazine.