The financial damage caused by a large data breach or malicious employee activity can be enormous, but while more than three-quarters of organizations say they have become more concerned about information security and privacy in the past three years, the lack of cyber risk insurance could lead to a “global” shock.
According to Zurich Insurance, only 19% have bought insurance against cyber risks, only 16% of companies have designated a chief information security officer to oversee cyber risk, and fewer than half (44%) have increased their budget to tackle the problem.
A full 20% of the firms polled in the white paper, produced in association with the Federation of European Risk Management Associations said that they felt their firm did not spend enough on cyber defense.
“The internet is the most complex system humanity has ever devised. Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can – and likely will – backfire,” said Axel Lehmann, Group Chief Risk Officer and Regional Chairman Europe at Zurich Insurance Group.
“Organizations are unknowingly exposed to risks outside their organization, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks.”
Reporting on the poll of 152 senior employees mostly based in Europe, IB Times commented that lack of awareness of cyber risk could lead to a “global shock” unlike anything yet seen in cyberspace – and lead to a financial crisis.
Despite malicious employee activity being one of the major risks corporations faced, only just over a third (36%) of survey respondents said their organization conducts information security and risk training at enterprise level for all employees.
Julia Graham, FERMA board member and CRO at the global law firm DLA Piper, said cybersecurity was “the organization’s ability to secure its people, information, systems, and reputation in cyberspace,” and that all businesses are in charge of a mass of “personally identifiable information and how that is stored and collected and used.”
Graham said that risk management had to start at board level, but be present throughout the company, “In the human resources manager, managing confidentiality agreements in people’s contracts, for example. It’s the domain of your marketing or development department, who often own the development and use of your social media policy. Therefore this is a classic enterprise risk. You need your whole business or organization to consider cyber risk from their point of view.”
“The solutions need not be highly complex. It doesn’t have to be through spending a lot of money to put up fantastic firewalls around your systems. Some of the most simple measures of prevention can be the most effective.”
Graham said “Manage your documentation correctly. Don’t let that become another risk by removing documents that are properly stored electronically and putting them on unencrypted memory sticks—because you can kill one risk and then watch it become a problem somewhere else.”
Steve Wilson, Chief Risk Officer for General Insurance, Zurich Insurance Group said: “Cyber risk comes in a bewildering variety of forms for organizations and we hope this research will provide risk managers with important insights into this critical issue. As the survey shows, it is essential that organizations do not fall into the trap of a top-down approach, taking a holistic approach which engages all employees to meeting this challenge”.
Author Rob Waugh, We Live Security