You Are Overconfident in Your Level of Cyber Preparedness

The vast majority of executives believe their organizations are following cyber resilience best practices. But more than half haven’t even completed a cyber risk assessment.
By: | November 29, 2018

The first full-scale DDoS attack occurred in 2000, impacting numerous popular sites including Yahoo, Amazon, Dell, eBay and CNN and wreaking havoc to the tune of $ 1.2 billion. Coming up on two decades later, major DDoS attacks and all other stripes of cyber attack are so commonplace that they’re barely a blip on the news radar.

The percentage of businesses reporting they have been the victim of a cyber attack has doubled since 2015. According to the 2018 Travelers Risk Index, cyber risk is the No. 2 concern across all business sizes and industries, and 52 percent of business leaders consider it inevitable that their organization will fall victim to a cyber-attack. In the technology, banking and professional services sectors, cyber risk is the No. 1 business concern.

But the Risk Index data — culled from a June 2018 Hart Research survey of more than 1,200 business leaders representing a range of industries and company sizes — revealed a significant disconnect between executives’ beliefs about their companies’ cyber risk preparedness, and the actual steps being taken to ensure cyber resilience.

Ninety-one percent of respondents stated they were confident that their organizations had implemented best practices to avoid or mitigate a cyber event.

That figure isn’t easily reconciled with the fact that 55 percent reported their companies had not completed a cyber risk assessment, and 62 percent had no written business continuity plan. Further, 63 percent had not assessed the cyber security of vendors with access to their data.

Tim Francis, enterprise cyber lead, Travelers

Said Tim Francis, enterprise cyber lead for Travelers: “When you read into some of the things that they have done — or more importantly have not done — I have to scratch my head a little and say, ‘Have they really done all that they could be doing? Do they really fully understand [the risk]?’ ”

Many businesses aren’t adequately planning for their recovery from a cyber event either. Cyber insurance was “born” in 1997, and yet half of the 2018 survey respondents indicated they do not purchase cyber policies, and 23 percent reported they were not familiar with their cyber insurance options.

Misunderstandings about cyber coverage still abound. In focus groups conducted for the Risk Index, said Francis, many executives directly responsible for purchasing insurance for their organizations were unaware that there was coverage available or had misperceptions about the type of cyber events it would cover. In some cases, they thought they were covered even though they had not bought cyber insurance. “All of these things are dangerous for businesses in this day and age,” said Francis.

Small businesses suffer the majority of cyber attacks. In a 2017 report, Champlain College researchers concluded that 60 percent of small businesses fail within six months of a cyber attack. So it’s all the more troubling that 74 percent of Risk Index small business respondents said they did not purchase cyber insurance.

“A disconnect has always been a part of the results,” said Francis, who’s worked on the Risk Index project since its launch in 2013.

“And if I’m reading between the lines, there’s a little bit of ‘Well, but it’s really not going to happen to me.’ ”

“When you read into some of the things that they have done — or more importantly have not done — I have to scratch my head a little and say, ‘Have they really done all that they could be doing? Do they really fully understand [the risk]?’ ” — Tim Francis, enterprise cyber lead, Travelers

While respondents may have seemed overly confident about their cyber-attack readiness, most admitted that it’s a challenge to keep up with the threat. Three quarters of respondents agreed it is difficult to keep up with the evolving cyber landscape, information and digital developments.

Compared to last year’s survey, the three biggest cyber concerns remain the same: security breach, system glitch and unauthorized access to bank accounts.

Three other cyber-related concerns — cyber extortion, remote hacking of operational software systems and having inadequate resources to recover from a cyber event — jumped up five percentage points from last year’s survey.

One additional disconnect in the survey data stands out. Only 36 percent of survey respondents are concerned about business email compromise (BEC) scams, specifically someone deceiving their employees into transferring funds. And yet FBI data shows a 2,370 percent increase in losses from such scams in just a two-year period.

Some people still hold a firm belief that none of their employees would ever fall for such a ruse because they’re still thinking about the old-school scam email from a Nigerian “Prince,” said Francis. But that, of course, isn’t the reality of how sophisticated these scams have become.

As risk managers review their cyber exposures and consider whether their organizations are adequately protected, it’s important that they remember “they don’t have to figure out a brave new world on their own — there are resources available to them,” said Francis.

“Talk to your brokers, talk to your agents, talk to your carriers and see what your options are.” &

Michelle Kerr is Workers’ Compensation Editor and National Conference Chair for Risk & Insurance. She can be reached at [email protected].

More from Risk & Insurance