Doing business in a connected world is both inspiring and frightening. The same connections that facilitate information sharing and global commerce also create opportunity for cyber risk. And that risk is becoming bigger and more volatile for organizations of all sizes and in all industries. Yet, few organizations treat cyber as a strategic business risk.
A recent JLT sponsored survey by Harvard Business Review Analytic Services found that only 26% of executives believe that their organizations are well prepared for a cyber attack or data breach. However, 85% said that they expect the financial impact of cyber attacks and breaches to increase over the next two years. What is surprising about this finding is that so few executives consider themselves ready for incidents that are becoming astoundingly frequent and increasingly expensive.
Organizations need to make immediate changes to better manage cyber risk. But they are challenged on two fronts - the difficulty of fully grasping the problem and human resistance to change.
A major challenge is the growing complexity, according to Shannon Groeber, Senior Vice President of Cyber/E&O at JLT Specialty. “Cyber risk is an all-encompassing term. It’s not exclusively a technology risk, or an online risk, or a people risk. So many components come together and can leave an organization exposed. Cyber risk also is evolving faster than many people realise,” she said.
A few years ago, it was assumed that cyber events exposed people’s information, such as credit card numbers, but the threat has evolved way beyond that, explained Ms Groeber. “The idea that the most valuable data assets are those that identify an individual is mistaken - that kind of cyber crime is really not as lucrative as it used to be. What is really valuable today is an organization’s trade secrets and the ability to steal or replicate those or hold them hostage,” she said.
Reid Sawyer, Senior Vice President of Cyber Analytics at JLT Specialty, agrees. “There are a myriad of threats today, and a company has to be successful in every instance. A cyber criminal only has to be successful once. There is an asymmetry of the cyber arms race. Threats are advancing as such a pace that organizations are unable to keep up with them.”
Human beings are creatures of habit, and a fundamental reality is that most of us find behaviour difficult to change. Amplified across large organizations, this tendency makes organizations reluctant to embrace change or slow to respond to change.
Organizations are making progress in spreading awareness of cyber security among their employees, according to the Harvard Business Review Analytic Services survey. More than two-thirds of respondents include all employees in cyber security training, and 37% conduct ongoing, staff-wide cyber security training. Yet, other organizational behaviours still leave businesses exposed to cyber events. Why?
Organizations that are the most vulnerable to cyber events are those that don’t have a strategic, cohesive, clear and collaborative approach to protecting their assets, according to Ms Groeber.
“Cyber risk is pervasive, but many organizations approach it narrowly, in silos rather than in a coordinated way. For example, people know their specific roles as they relate to elements of cyber but often do not communicate or collaborate with others across their organization,” she said.
The survey confirms this, finding that only 23% of respondents have a formal strategic plan to address business risks from cyber attacks. In addition, only 21% of respondents’ organizations have defined cyber security as an area of business risk and incorporated into their vision and risk appetite statements.
Organizations cannot afford to maintain a fragmented view of risk, isolated by department or function. That is dangerous no matter what the risk, whether it happens to be cyber attack or other strategic risks.
Winning the War
Better-prepared companies have a strategy for how to handle cyber risk that goes well beyond a technological response, according to Ms Groeber. “Expanding roles and reporting lines up to the CEO and board for those responsible for cyber risk management is consistent with organizations that are more likely to minimise the impact of an attack. Such organizations have a very clearly defined response plan,” she added.
As the study shows, only the minority of companies are well prepared for cyber events. According to Mr Sawyer, such companies take a multidisciplinary approach that examines the risk across the breadth of the organization.
“They also understand that the volatility of cyber risk in any given vertical in their organization is different. For example, an oil company’s cyber risk will look different upstream, downstream, offshore and onshore. With cyber risk, the whole is greater than the sum of the parts,” he said.
Organizations that are better equipped to weather cyber incidents are those that have clear line of sight into their risks and are communicating well with all relevant stakeholders. Working with expert partners to learn as much as possible about the enemy provides organizations an edge in this era of cyber warfare.
For more information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.