A report by insurance broker Marsh and tech giant Microsoft looks at how cyber risk is viewed by various functions and leaders within organizations, specifically cybersecurity and IT, risk management and insurance, finance and executive leadership.
While all functions have common interests around cyber risks, the report finds that they often act independently. All departments that touch cyber risk should be involved in cyber incident management, and cyber insights should be shared across the enterprise to appropriately address organizational cybersecurity weak spots, says the Marsh & Microsoft report.
The 660-person survey reveals only 41% of organizations engage legal, corporate planning, finance, operations, or supply chain management in making cyber risk plans.
Every organization can expect a cyber attack, a majority of respondents (73%) saying they have experienced at least one. More than half of respondents (66%) say home and remote working tops the list of technologies seen as enabling cyberattacks.
Ransomware is still bar far the top security threat faced by companies, followed by phishing/social engineering, privacy breaches and business interruption due to a supply chain attack.
The report notes firms take many cybersecurity actions, but widely overlook their vendors/digital supply chains. Only 43% have conducted a risk assessment of their vendor/ supply chain.
At least 54% of companies said they do not extend risk assessments of new technologies beyond implementation. About 79% of organizations have a response plan in place and 61% said their company buys some type of cyber insurance coverage.
Confidence in one’s organization’s ability to assess, measure, mitigate, and respond to cyber threats remains low, per the report.
Best Practices for Cyber Risk Management
Cyber risk management should be a shared responsibility in every enterprise. Organizations can have the best tools and activities but are unlikely to meet their potential if there is not effective communication across the enterprise, according to the report.
Executive and department leaders should commit to ongoing, cross-functional communication regarding cyber risk threats, readiness and strategy; engage in cyber risk management planning, including regular exercise of plans and be involved in post-incident reviews, the report notes.