study with the long name is also long on interesting takeaways. For small-business
leaders, some results may be relatable. Others, however, may leave you scratching
The Marsh-Microsoft Global Cyber Risk Perception Study, as it’s known, examines
the feelings and practices of boards and senior execs who manage cyber risk and
resilience for large organizations.
topic, here’s a quick summary of key findings from the 1,500 entities polled:
1) Strategic importance. 80% ranked cyber risk as a top
five concern, up 18% from two years earlier. Eighty-one percent have
strengthened computer and system security in the same timeframe.
2) Responsibility. 88% identified the IT/Information
Security (InfoSec) department as owners of cyber risk management in their
organizations, followed by executive leadership or board (65%) and a risk
management team (49%).
3) Confidence. The importance risk managers
place on security is high, but confidence in their organizations’ cyber resilience is declining. The term
refers to an enterprise’s “capacity to
maintain its core purpose and integrity in the wake of or in the face of
cyberattacks,” according to Dr. Larry Ponemon (of the eponymous Institute).
Basically, it’s “the ability to prevent, detect, contain and recover from
threats against both data applications and IT infrastructure.”
11% of survey respondents–half as many as in 2017–expressed a high degree of
confidence in their enterprises’ cyber resilience. A surprising 18% had “zero
confidence” in their ability to understand and assess cyber risk, while 22% did
not believe they could effectively respond to or recover from cyber events. A
head-scratchingly curious finding, considering the size of respondents’ IT teams
another: despite their roles, responsibilities and deeply felt concerns, more
than half (51%) of C-suite executives and boards say they spent just “several
hours or less” in the past year focused on cyber risk. Bottom line:
Enterprise cyber risk and resilience are crucial
topics for businesses of every size.