Though cybercrime is an evidently growing concern for most businesses, a new survey has found some businesses are becoming less confident in their ability to understand and assess cyber risk, prevent cyber attacks, or deal with the impact of an attack or event.
The Global Cyber Risk Perception Survey Report 2019 compiled by Marsh in partnership with Microsoft “investigates the state of cyber risk perceptions and risk management at organisations worldwide.”
Cyber risk is a top concern
The survey of 1,500 companies found that 79% put cyber risk as a top five concern. A figure that has risen from 62% in 2017.
This correlates with another recent survey of UK banks and financiers which found expected cybersecurity investment rising from eighth on a list of technology investment priorities in 2018 to fourth in 2019.
The Marsh and Microsoft Survey found 77% of respondents were considering investment in new technology but 23%, including many smaller firms, believe the cyber risk of new technology outweighs potential benefits. 64% of those asked said a cyber incident or attack would be the biggest prompt for a “planned increase in budget allocation” with 46% saying news of an attack on another organisation would impact potential spend.
But, confidence in dealing with cyber risk is falling
The percentage of businesses who said they had “no confidence” in understanding and assessing cyber risk rose from 9% to 18% from the previous survey. A lack of confidence in preventing cyber threats rose from 12% to 19% and a lack of confidence in responding to cyber events, like attacks, rose from 15% to 22%.
This waning confidence could point to a greater need for security awareness and relevant training within businesses as they face ever evolving new threats. And, that it’s not just about employing new technology to cope with the threat of cybercrime, accompanying technology needs to be education, following the old adage “knowledge is power.”
In fact, this latest survey found 83% of companies have “strengthened computer and system security of the past two years, but less than 30% have conducted management training or modelled cyber loss scenarios.”
Security awareness training could raise confidence
Empowered companies, and their employees, may gain confidence in dealing with cyber threats and in using new technology without the perception new technology could mean a new wave of threats. Some of the most common types of attack, like phishing attacks, rely on cybercriminals fooling individuals into opening scam emails and clicking on malicious URLs.
Cyber security is a long and broad game
In the Marsh and Microsoft survey, 50% of companies did say cyber risk is “almost never” a barrier to deploying new technology. 75% of respondents evaluate the risks of new technology before using it but only 5% said “they evaluate risk throughout the technology lifecycle.” A concerning figure with the evolution of threats from savvy cyber criminals constantly adapting to thwart cybersecurity practices.
Security awareness should also be broad across an organisation. IT managers and professionals must be ahead of their games but employees who use any software or systems at all need to be aware of risks and best practices for dealing with risk.
So too must security awareness stretch to the implications along a company’s entire supply chain. Businesses must evaluate the processes and practices of third-party suppliers or vendors especially where data is handled, stored and at risk.
Marsh and Microsoft found that 39% of companies said the cyber risk from their technology supply chain was “high or somewhat high.” But only 16% recognised that their own risk impact along the supply chain could also be high. And, according to Marsh:
“Respondents were more likely to set a higher bar for their own organization’s cyber risk management actions than they do for their suppliers.”
Again, relatively few firms were “highly confident” in their ability to mitigate supply chain risk. Marsh suggests that supply chain risk should be a collective issue between partners. In its key takeaways overall, the report says companies should:
“Create a strong organisational cybersecurity culture, with clear, shared standards for governance, accountability, resources, and actions.”
Comprehensive, cross-company, security awareness can help to prevent cybercrime in a number of ways including preventing human error or employees becoming unsuspecting victims of scams and phishing emails which often lead to system breaches. Awareness is proactive and preventative, helping to maximise the cost-effectiveness of technology investment and hopefully prevent cyberbreaches and the immense costs that they can cause. Security awareness also helps with regulatory compliance.
Security awareness training can boost corporate confidence
Most importantly, in relevance to this latest survey on the growing issue of cyber risk, good awareness and knowledge can boost confidence, empowering individuals at any level to meet risk head-on, or to at least know what to do, or who to go to, if they identify a potential risk.
The Defence Works is already helping many organisations to protect against cybercrime. Try our free demo to find out how.