Doing business in a connected world is both inspiring and frightening. The same connections that facilitate information sharing and global commerce also create opportunity for cyber risk. And that risk is becoming bigger and more volatile for organisations of all sizes and in all industries. Yet, few organisations treat cyber as a strategic business risk.
A recent JLT sponsored survey by Harvard Business Review Analytic Services found that only 26% of executives believe that their organisations are well prepared for a cyber attack or data breach. However, 85% said that they expect the financial impact of cyber attacks and breaches to increase over the next two years. What is surprising about this finding is that so few executives consider themselves ready for incidents that are becoming astoundingly frequent and increasingly expensive.
Organisations need to make immediate changes to better manage cyber risk. But they are challenged on two fronts - the difficulty of fully grasping the problem and human resistance to change.
A major challenge is the growing complexity, according to Shannon Groeber, Senior Vice President of Cyber/E&O at JLT Specialty. “Cyber risk is an all-encompassing term. It’s not exclusively a technology risk, or an online risk, or a people risk. So many components come together and can leave an organisation exposed. Cyber risk also is evolving faster than many people realise,” she said.
A few years ago, it was assumed that cyber events exposed people’s information, such as credit card numbers, but the threat has evolved way beyond that, explained Ms Groeber. “The idea that the most valuable data assets are those that identify an individual is mistaken - that kind of cyber crime is really not as lucrative as it used to be. What is really valuable today is an organisation’s trade secrets and the ability to steal or replicate those or hold them hostage,” she said.
Reid Sawyer, Senior Vice President of Cyber Analytics at JLT Specialty, agrees. “There are a myriad of threats today, and a company has to be successful in every instance. A cyber criminal only has to be successful once. There is an asymmetry of the cyber arms race. Threats are advancing as such a pace that organisations are unable to keep up with them.”
Human beings are creatures of habit, and a fundamental reality is that most of us find behaviour difficult to change. Amplified across large organisations, this tendency makes organisations reluctant to embrace change or slow to respond to change.
Organisations are making progress in spreading awareness of cyber security among their employees, according to the Harvard Business Review Analytic Services survey. More than two-thirds of respondents include all employees in cyber security training, and 37% conduct ongoing, staff-wide cyber security training. Yet, other organisational behaviours still leave businesses exposed to cyber events. Why?
Organisations that are the most vulnerable to cyber events are those that don’t have a strategic, cohesive, clear and collaborative approach to protecting their assets, according to Ms Groeber.
“Cyber risk is pervasive, but many organisations approach it narrowly, in silos rather than in a coordinated way. For example, people know their specific roles as they relate to elements of cyber but often do not communicate or collaborate with others across their organisation,” she said.
The survey confirms this, finding that only 23% of respondents have a formal strategic plan to address business risks from cyber attacks. In addition, only 21% of respondents’ organisations have defined cyber security as an area of business risk and incorporated into their vision and risk appetite statements.
Organisations cannot afford to maintain a fragmented view of risk, isolated by department or function. That is dangerous no matter what the risk, whether it happens to be cyber attack or other strategic risks.
Winning the War
Better-prepared companies have a strategy for how to handle cyber risk that goes well beyond a technological response, according to Ms Groeber. “Expanding roles and reporting lines up to the CEO and board for those responsible for cyber risk management is consistent with organisations that are more likely to minimise the impact of an attack. Such organisations have a very clearly defined response plan,” she added.
As the study shows, only the minority of companies are well prepared for cyber events. According to Mr Sawyer, such companies take a multidisciplinary approach that examines the risk across the breadth of the organisation.
“They also understand that the volatility of cyber risk in any given vertical in their organisation is different. For example, an oil company’s cyber risk will look different upstream, downstream, offshore and onshore. With cyber risk, the whole is greater than the sum of the parts,” he said.
Organisations that are better equipped to weather cyber incidents are those that have clear line of sight into their risks and are communicating well with all relevant stakeholders. Working with expert partners to learn as much as possible about the enemy provides organisations an edge in this era of cyber warfare.
To download the JLT sponsored Harvard Business Review Analytic Services Survey click here
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org