Companies still unprepared for mounting cyber risks

A growing number of businesses are falling victim to cyber crime, but new survey data shows that most companies are lagging behind when it comes to preparing for an attack.

Over a quarter of respondents to The Global Economic Crime Survey 2016, an annual survey conducted by PwC, said that they had been affected by cyber crime in the past year. Troublingly, a further 18 percent said they did not know whether or not they had been attacked, while 34 percent said they expected to be attacked within the next two years. About 50 of the 6,337 companies in 115 countries that completed the survey suffered losses in excess of USD 50 million, a third of which saw losses over USD 100 million.

Unprepared

More than half of respondents, 53 percent, believed the risk of cyber crime had increased, but only 37 percent had a cyber-incidence response plan in place. Only four in ten had properly trained personnel to respond to a cyber emergency, three quarters of which were IT security staff.

Those findings closely match data from Mitigating the Inevitable: How organizations manage data breach exposure, a report published by Advisen in March, 2016.

Advisen found that while 80 percent of surveyed organizations were worried about a potential data breach, and 17 percent had experienced one over the previous year, less than half of respondents thought that their company was adequately prepared to fend off an attack.

While 75 percent of respondents to the Advisen survey, which polled companies in the U.S., said they had a data-breach response plan in place, only 42 percent of those had tested it. Six out of every ten believed that their IT teams were responsible for managing the response to a cyber attack.

Walls are not enough

That seems short-sighted as the costs of a data-breach include reputation damage, business interruption costs, supply chain disruption, mandatory notification of customers and a host of regulatory and legal issues that stretch beyond the networks and systems that may have been breached and could be existential for any company.

Such a complex combination of risks and effects requires a coordinated, multi-stakeholder response led by the C-suite, rather than a response focused on solving the technological challenges posted by the initial breach.

Businesses must adopt a mindset of resilience rather than just protection; those that identify all possible risks and have an action plan in place are those that will prove most resilient and quickly get back to meeting the expectations of their customers and their shareholders.

To develop that resilience, Zurich advises its customers and partners to:

• Map critical data—know what is most important, where it is (including desktops, remote devices, backup storage, paper documents), how it is protected, who touches it, where it travels. This should include risks within your supply chain.
• Humans are the weakest link, so make sure all employees understand the importance of data security. A security awareness and training program is the lowest-cost security measure with arguably the highest return on investment.
• Have a response plan in place and test it regularly, with practice drills involving internal and external teams so everybody knows what to do when an incident occurs.
• Extend beyond the four walls of the company: With an insurance carrier or broker’s risk management team, review all business partner relationships, including how those vendors/partners approach their own exposures and controls and how the vendor’s suppliers’ approach fits into their overall resilience plan.
• Become part of the discussion and work with policy makers and regulators to build cyber resilience globally.