Cyber Threats Will Never Cease. So Why Do Only 17% of Companies Have Adequate Security Measures In Place?

Aon's 2021 Cyber Risk Report looks at which industries are lagging in cyber resilience and how to prioritize a healthy cyber budget.
By: | February 5, 2022

We are closing in on the second full year of life with COVID-19. Cyber risks, established prior to the pandemic and having grown during its peaks, are likely not done evolving.

Yet many organizations across several different sectors are still reported as not being sufficiently equipped to deter, and respond to, a cyber attack.

This was a main finding in Aon’s 2021 Cyber Risk Report, which delves into which specific industries are the most vulnerable, why organizations are not prioritizing cybersecurity, and how these organizations can better position themselves against the ever-evolving cyber risk.

The Report’s Central Takeaways

The most alarming finding from the report could quite possibly be the unpreparedness of so many organizations when it comes to cyber risk.

The report found that only two out of five organizations surveyed are prepared to properly respond to cyber exposures.

Additionally, “only 17% [of the organizations reported] have the adequate application security measures in place, [or 83% don’t],” said Jonathan Rajewski, managing director at Stroz Freidberg, an Aon company.

This lack of preparedness comes after some of the most widely-known and tumultuous cyber attacks occurred, which include the Colonial Pipeline and SolarWinds attacks.

Specifically, ransomware incidents have dangerously increased, a 400% uptick from the first quarter of 2018 to the fourth quarter of 2020, according to the report. From 2019 through 2020, cyber claims rose by 336%.

Another takeaway is the fact that companies are currently facing what the report calls a “rapid digital evolution,” and they cannot keep up.

“The accelerated digital adoption in business over the last two years, coupled with the pace of change, makes it harder than ever for risk managers to identify and quantify new exposures,” said Rajewski.

As these digital capabilities continue to evolve, so will the risks. If companies are not prioritizing their cyber risk responses proactively, they will never match the pace of risk evolvement.

“Simply put, companies need to concentrate on improving their controls,” said Rajewski.

Which industries are behind the curve? The report listed eight sectors: construction, energy, financial institutions, life sciences, manufacturing, professional services, retail and technology.

Rajewski said  many of these industries “didn’t think they had the same perceived risk” as those industries that hold much more sensitive data, such as personal identifiable information.

“With the [recent] headlines [of cyber attacks], it’s really been a wake-up call.” Rajewski said.

COVID-19, Increased Cyber Risk and Sophisticated Cyber Criminals

It’s no secret that the implementation of remote work has greatly changed the magnitude of cyber exposure.

As employees worked from home and strapped individual cyber vulnerabilities onto their backs, it became more difficult for employers to manage the risk on such a wide scale.

As mentioned before, there is a link between the pandemic and an increase in cyber claims. The severity of these cyber attacks has also escalated.

The report found that by the end of 2020, seven out of ten ransomware attacks “involved the threat to leak exfiltrated data.” In some cases, these attacks have led to whole servers being permanently wiped.

Severity of these attacks stem from a rise in sophistication of cyber criminals.

“It’s ever evolving. As technology evolves, [cyber criminals] will constantly leverage technology in way that lets them do what they want to do,” Rajewski said.

These added layers of cyber risk, that continue to change unexpectedly, are just another reason as to why organizations need to establish a clear line of defense. Organizations must have a clear response to deal with the unknown.

Developing a Healthy Cyber Budget

It’s imperative for organizations and companies to create a cybersecurity plan that not only addresses any potential exposures, but that is cost-effective. This is what developing and maintain a healthy cyber budget entails.

Rajewski said the development of a cyber budget depends on the size of each company and any specific regulatory requirements or industry risks that the company may have. However, Rajewski noted a few actions of companies who get it right.

For one, a company’s cyber budget should “prioritize budget spending on having the right people, processes and technology in place,” according to Rajewski.

Examples of this include an assessment team to gauge a company’s cyber resilience and multi-factor authentication.

This also includes implementing educational programs for employees regarding how cyber criminals can infiltrate a company’s systems and how to respond to phishing emails, which has become a mainstream cyber attack approach.

This type of training can be a matter of a cyber attack resulting in success or not, and Rajewski notes that these programs “may require some investment.” However, prioritizing the investment is certainly worth the potential reward. &

Emma Brenner is a staff writer with Risk & Insurance. She can be reached at [email protected].