Most business leaders are no more confident in their ability to manage cyber risks than they were two years ago, despite unrelenting workplace disruption, digital transformation and ransomware attacks.
That is according to a report by insurance broker Marsh and technology company Microsoft, which questioned over 660 cyber risk decision makers in leading organisations across various functions, including cybersecurity and IT, risk management and insurance, finance, and executive leadership.
The findings show that confidence in their core cyber risk management capabilities – including the ability to understand, assess, prevent and respond to cyber threats – is largely unchanged since 2019, when 19.7% of respondents stated they were highly confident, compared to 19% in 2022.
Furthermore, many organisations are still struggling to understand the risks posed by their vendors and digital supply chains as part of their cybersecurity strategies, with only 43% having conducted a risk assessment covering this area.
This comes amid rising ransomware attacks driven by the worldwide move to remote working, with cyber perils recently topping a ranking of concerns for companies globally over the next 12 months.
“Given the continued rise of ransomware and the current tumultuous threat landscape, it is not surprising that many organisations do not feel any more confident in their ability to respond to cyber risks now than they were in 2019,” commented Sarah Stephens, head of international cyber at Marsh.
The findings also show that only 41% of organisations look beyond cybersecurity and insurance to engage their legal, corporate planning, finance, operations or supply chain management functions in making cyber risk plans.
However, 38% now use quantitative methods to measure their cyber risk exposure, which is up from 30% 2019. The report explains how this is a “critical step” in understanding how cyberattacks and other events can create volatility.
“Cyber risks are pervasive across most organisations,” said Tom Reagan, cyber risk practice leader for the US and Canada at Marsh. “Successfully countering cyber threats needs to be an enterprise-wide goal, aimed at building cyber resilience across the firm, rather than singular investments in incident prevention or cyber defence.
“Greater cross-enterprise communication can help organisations bridge the gaps that currently exist, boost confidence, and better inform overall strategic decision making around cyber threats.”
Image credit: iStock
Author: Chris Seekings