Study Sheds New Light on Cyber Risk


Shedding Light on Cyber RiskThe new study with the long name is also long on interesting takeaways. For small-business leaders, some results may be relatable. Others, however, may leave you scratching your head.

The Marsh-Microsoft Global Cyber Risk Perception Study, as it’s known, examines the feelings and practices of boards and senior execs who manage cyber risk and resilience for large organizations. 

By topic, here’s a quick summary of key findings from the 1,500 entities polled:

1) Strategic importance. 80% ranked cyber risk as a top five concern, up 18% from two years earlier. Eighty-one percent have strengthened computer and system security in the same timeframe.

2) Responsibility. 88% identified the IT/Information Security (InfoSec) department as owners of cyber risk management in their organizations, followed by executive leadership or board (65%) and a risk management team (49%).

3) Confidence. The importance risk managers place on security is high, but confidence in their organizations’ cyber resilience is declining. The term refers to an enterprise’s “capacity to maintain its core purpose and integrity in the wake of or in the face of cyberattacks,” according to Dr. Larry Ponemon (of the eponymous Institute). Basically, it’s “the ability to prevent, detect, contain and recover from threats against both data applications and IT infrastructure.”

Just 11% of survey respondents–half as many as in 2017–expressed a high degree of confidence in their enterprises’ cyber resilience. A surprising 18% had “zero confidence” in their ability to understand and assess cyber risk, while 22% did not believe they could effectively respond to or recover from cyber events. A head-scratchingly curious finding, considering the size of respondents’ IT teams and budgets.

Here’s another: despite their roles, responsibilities and deeply felt concerns, more than half (51%) of C-suite executives and boards say they spent just “several hours or less” in the past year focused on cyber risk. Bottom line: Enterprise cyber risk and resilience are crucial topics for businesses of every size.