Cybersecurity vulnerability rises to top concern among large organizations
What’s weighing most on the minds of business leaders when it comes to cyber risks? That’s what the Travelers Risk Index aimed to uncover as the annual survey asked decision makers about how they are feeling about cyber threats affecting their businesses.
The study was conducted by Travelers Insurance. Responses came from companies of all sizes and various industries, on topics such as whether their business has been victimized by a cyber attack, if they feel confident their company has taken the necessary steps to protect against a cyber event and what worries them the most when it comes to the cyber landscape.
Tim Francis, vice president and enterprise cyber lead at Travelers, weighed in on the findings, on cyber trends heading into 2019 and what companies should do to best protect themselves.
Information Management: What were the top general information security trends revealed in the recent 2018 Travelers Risk Index?
Tim Francis: A few trends certainly stand out. The cyber threat continues to be a top concern. Once again it was the No. 2 concern covering all businesses, behind only medical cost inflation. But it was the top overall concern among large businesses (at least 1,000 employees) and in certain segments such as technology, banking and professional services.
Looking at specific cyber concerns, the top three in 2017 remained the same in 2018. The biggest cyber concern is suffering a security breach, followed by unauthorized access to bank accounts and a system glitch.
IM: What findings of the study most surprised you?
Francis: I was surprised at the percentage of survey respondents who said they were confident their company has taken steps to guard against suffering a cyber event, when the details of what steps those businesses have taken to avoid one – or not taken, to be more accurate – seem to suggest otherwise.
More than 90 percent expressed some level of confidence that their company has implemented best practices to avoid a cyber event. But in terms of taking actions to reduce cyber risk, 55 percent said their company has not taken a cyber risk assessment, 62 percent said they don’t have a business continuity plan in the event of a cyber attack, and 63 percent said they have not done a cyber risk assessment on vendors who have access to company data.
This seems to indicate a disconnect between cyber risk mitigation actions not being taken by enough companies and the perceived confidence people have that safeguarding steps have been implemented.
IM: What findings of the study most trouble or concern you?
Francis: The overconfidence that many of the survey respondents appear to show regarding steps their companies have taken to strengthen their cyber security networks would be at the top of my list, especially when more than half of the respondents said they believe that suffering a cyber attack is inevitable.
Another notable number from the Travelers Risk Index is the fact that, despite the frequency and severity of cyber attacks, 50 percent of the more than 1,200 people who took the survey said their company does not purchase cyber insurance. That’s alarming, due to the significant damage that can be done – and has been done – to businesses that have suffered a cyber event.
IM: Where do organizations feel they stand in terms of their ability to defend against cyber attacks and data breaches?
Francis: The majority said they feel it is difficult to keep up with the evolving cyber landscape, leaning on internal IT staff and external IT consultants for information. And while 91 percent said they were confident that their company has implemented best practices to avoid or mitigate a cyber event, a similar percentage (88 percent) expressed confidence that their company would know what to do if it experienced one. Half of the survey respondents also said they felt their business would be able to handle the cost and logistics that come with a cyber event.
IM: Why do you feel many organizations continually lag behind in terms of cyber security defenses?
Francis: Cyber security defenses take resources, and many businesses conclude that they don’t have the means to invest heavily in that area. But it doesn’t cost much to take the most basic protective steps, and they’re bound to pay off. Spending money on a cyber risk assessment will identify potential cyber exposures and offer ways to protect the business against them.
Another suggestion is to speak with an independent insurance agent and ask questions about obtaining a standalone cyber policy, because many businesses might assume that any damaging cyber activity is covered in its general liability insurance policy, and that’s not necessarily the case.
IM: What are some of the most important things an organization can do to best posture itself, but many don’t?
Francis: Companies of all sizes should educate their employees about cyber risks – what they are and how incidents can occur – and have proper safeguards in place to prevent an attack from happening in the first place. Beyond prevention, they should have systems in place in the event something happens including insurance policies to manage financial risks and a crisis communications plan for internal and external parties.
Business decision makers need a strong understanding of what their cyber risks are and how they can be managed in order to communicate dangers with employees and fully integrate the company and its employees in behaviors that help limit cyber risks. Employees are some of the most influential gatekeepers of cyber security and the success of a system often relies on their interactions with technology; risks and triggers for potential cyber attacks need to be clear to employees so they can limit exposure on the front line.
IM: What are the top trends now and emerging that will keep cyber attackers a step ahead of organizations in their defenses?
Francis: Well, we hope that doesn’t continue, but we realize that as long as companies use technology to store valuable information, there will be bad actors out there trying to access it. As cyber attackers use different avenues in which to infiltrate a network system and gain access to valuable data, the hope is that the defense systems companies can use continue to evolve as well.