Cyber risk is pervasive at most organizations, the report's authors emphasize, explaining that any employee or vendor firing up their laptop from home brings risk, as well as a user connecting a new product to the Internet of Things. Yet, deciding not to launch a new product, fearing cyber threats, is also a risk etc. Countering such risks requires enterprise-wide alignment.
Interviews conducted by the report's authors with hundreds of CEOs, risk, finance, IT, and cybersecurity leaders from across the globe enabled them to discern 8 key cyber risk trends, as listed in the paper's executive summary:
- Cyber-specific enterprise-wide goals - including cybersecurity measures, insurance, data and analytics, and incident response plans - should be aligned to building cyber resilience versus simply preventing incidents, as every organization can expect a cyberattack. 73% of companies said they had experienced a cyberattack.
- Ransomware is considered the top cyber threat faced by companies, but not the only one. Other prevalent threats include phishing/social engineering, privacy breaches, and business interruption due to an external supplier being attacked.
- Insurance is an important part of cyber risk management strategy, and influences the adoption of best practices and controls. 61% said their company buys some type of cyber insurance coverage.
- Adoption of more cybersecurity controls leads to higher cyber hygiene ratings. Just 3% of respondents rated their company's cyber hygiene as excellent.
- Organizations lag in measuring cyber risk in financial terms, which hurts their ability to effectively communicate cyber threats across the enterprise. Just 26% of respondents said their organization uses financial measures for cyber risk.
- Increased investment in cyber risk mitigation continues, though spending priorities vary across the enterprise. 64% said the spur to increasing cyber risk investments was having experienced an attack.
- New technologies need to be assessed and monitored on a continuous basis, not just during exploration and testing prior to adoption. 54% of companies said they do not extend risk assessments of new technologies beyond implementation.
- Firms take many cybersecurity actions, but widely overlook their vendors/digital supply chains. Only 43% have conducted a risk assessment of their vendor/ supply chain.
Click here to get the full 2022 edition of "The State of Cyber Resilience" report by Marsh and Microsoft.