In Brief

On Cyber, Businesses Still a Step Behind

Citing a lack of resources and internal collaboration, most companies still don’t treat cyber as a strategic, enterprise-wide risk.
By: | December 14, 2017

This summer’s WannaCry ransomware attack demonstrated how far and how rapidly a cyber bug can spread. According to a recent Harvard Business Review (HBR) Analytic Services report, “the WannaCry ransomware infection caused $8 billion in economic damage in more than 100 countries.”

For its report, “Managing Cyber Risk: Understanding the Opportunity,” HBR surveyed 278 individuals from both large and small organizations.

Risk Recognized, not Quantified

Eighty-five percent of respondents said they expect the financial impact of cyberattacks to rise over the next two years, but few organizations calculated that impact. Despite 60 percent of respondents saying they’ve developed cyber risk models, only 40 percent of respondents have tried to quantify the financial impact of a breach.

While smaller organizations see themselves as less likely targets for hackers (46 compared to 65 percent of larger companies), they are beginning to build cybersecurity into broader risk management plans. But progress remains slow.

A disconnect exists between how organizations perceive cyber risk and their efforts to manage it. Businesses recognize cyberattacks could impede operations, damage reputations and relationships with partners and customers, tarnish prospects and investments, incur significant legal and regulatory fines and cause huge financial losses.

Yet most organizations fail to approach the risk as they would other formidable risks. They treat cyber risk as a technology risk rather than an enterprise risk, failing to build cybersecurity into strategic plans.

Thirty-eight percent of respondents said internal collaboration around cyber risk was not sufficient. Only 23 percent reported adopting a formal strategic plan to address business risks from cyberattacks.

Small Companies Fall Behind

Smaller organizations could point to few efforts at institutional cyber risk management, including appointing a chief information security officer and offering company-wide cyber training.

Only 14 percent of respondents from small companies said they felt their employer was fully prepared for a cyber breach.

Why are companies falling short? The primary explanation was a lack of financial resources and dedicated staff. Fifty-six percent of smaller companies and 42 percent of larger companies said their organization lacks the assets to address cyber risks. &

Katie Dwyer is a freelance editor and writer based out of Philadelphia. She can be reached at [email protected].

More from Risk & Insurance