Small and midsize employers still appear to be vulnerable to the risks of cyber-crime and data breaches. And organizations are still not doing enough to protect their data or recover from a breach. But there is good news and a strong indication that these organizations are making efforts.
41% of organizations said they have implemented data security insurance coverage, compared to only 33% in 2014.
Those results come from our Annual Cyber & Data Security Risk Survey (the 2015/2016 survey is our third). Our intent was to help small and midsize employers better understand how they compare to their peers around the country in the areas of cyber exposure, adoption of risk management techniques, and their overall understanding of the risk they face.
As with last year, the bottom line could best be described as underestimating risk and overestimating security. And that’s a serious problem, as organizations of all sizes are responsible for protecting valuable information – their own, data from business partners or employees, and, arguably, most importantly, data from clients and customers.
The ultimate lesson, however, to be gleaned from this data is that organizations that view cyber and data security as a fundamental organizational issue – and, therefore, discuss it regularly at the executive level – are positioned far better to weather a cyber or data incident. Specifically, these organizations have more risk management protocols in place and are more prepared to respond to an incident if – and when – one occurs.
Doesn't Cyber Crime Always Happen to Someone Else?
Cyber-crime is on the rise, yet small and midsized firms in the United States haven’t seen protecting themselves against a cyber threat – or planning for the result of experiencing one – as a significant priority.
If an organization is very, very lucky, it might never experience any form of data breach or other cyber security problem. But the odds are not in their favor. In fact, in 2015, 50% of all small to midsize companies reported being the target of a cyberattack. But there’s an even more important – and frightening – fact:
60% of all cyber-attacks last year struck small to mediumsized businesses.
Small to midsized businesses are the most vulnerable, and even one successful attack can shut a company down completely given the enormous costs associated with recovery. Ironically, organizations that participated in the Marsh & McLennan Agency survey believed they were reasonably well protected against cyber-attacks and data breaches.
All respondents’ average self-ranking of their data security: 3.18 out of 5 (scale of 1 to 5, with 1 being not protected at all)
When asked how protected the IT manager (or person responsible for computer systems) would say the organization was from attacks and breaches, that number was even higher.
What do these numbers mean for your security?
- 1.6
- 55.2
- 42.9
According to our survey, only 1.6% of the respondents said they thought their organization’s data security was “bomb proof” (although it’s technically impossible to achieve 100% security, it is what an organization should strive to achieve). 55.2% said they did NOT have a corporate recovery plan in place to help guide them in case of the loss of confidential, personally identifiable information. And fully 42.9% said their organization did NOT have the expertise to develop any kind of data security plan.
Even though a growing number of organizations have now added cyber risk insurance, there are still a lot of unprotected small and midsize companies that could be doing a lot more to safeguard themselves with even a little effort.
Data security is something we don't talk about, but we face data risk everyday, but we face data risk everyday.
In order to run a successful business, most small to midsize organizations are performing functions that can invite cyber-crime if security procedures are not put in place:
Yes, despite the apparent and immediate hazards, data security and risk management are seldom discussed at the executive level of the organizations we surveyed:
- 54.4% - Seldom discuss
- 10.2% - Never discuss
However, those organizations that regularly talk about data security at the C-level are twice as likely to have a recovery program in place in the event of a data security breach. What happens if a service provider either loses or otherwise compromises any confidential data or personally identifiable information for which these organizations are responsible? How does an organization ensure they would recover damages?
Here again, those organizations that discuss cyber-security are much more likely to have taken action to ensure recovery than those that do not. For example:
Percentage of respondents that ensure that attorney-reviewed contracts are in place with all third-party service providers that include compensation guarantees for losses.
- Those that report talking regularly or frequently about cyber security 21.32%
- Those that seldom or never talk about cyber security 6.05%
Percentage of respondents that analyze the financial strength of all third-party providers, ensuring their ability to compensate.
- Those that report talking about security regularly or frequently 24.26%
- Those that do not talk about security regularly or frequently 9.68%
Percentage of respondents that required all vendors to have proper and adequate insurance in place.
- Those that report talking about security regularly or frequently 46.32%
- Those that do not talk about security regularly or frequently 27.82%
Percentage of respondents that report taking NO measures to ensure their ability to recover damages if an outsourced business service provide lost or compromised their data.
- Those that report talking about security regularly or frequently 20.59%
- Those that do not talk about security regularly or frequently 44.76%
How Secure are Your Third Party Partners?
Risk increases when organizations outsource functions that give access to sensitive data. The majority of the firms we surveyed have outsourced a significant amount of potentially sensitive work to third partners. 51% had four or more providers and 36% had three or more.
Your company can be as secure as possible, but if your business partners and vendors lack proper cyber security, you can be vulnerable to attacks and liable for the fallout. Outsourcing these services does not protect your organization – no matter how great your provider’s insurance may be.
How Secure are your Employers?
Social engineering is a growing problem in many organizations; “spear phishing” is one example of this type of fraud. Cyber criminals make contact with employees, gain their trust – often by simply offering an innocent looking link in an email – and then use whatever access they are granted to roam freely through a company’s data, including client and customer data.
The good news? One-third of the employers in our survey had implemented some form of employee education during the past year and 52% had done so within the past three years.
However, employers that are engaged in IT security discussions are more likely to have internal security measures in place. In fact, 70% of employers that discuss cyber security at the executive level regularly or often have implemented employee education in the past three years to guard against cyber-attacks compared to 42% of organizations that seldom or never discuss the issue.
Which risk management techniques have been implemented or conducted within the past 12 months?
In most cases, less than one-third of the respondents had employed any of the individual risk management techniques quoted in the survey (employee education being the exception). But most concerning was that more than 13% of the respondents had done absolutely nothing to manage this risk.
Which of the following loss mitigation techniques have been implemented or conducted within the past 3 years?
Here again, few respondents had established programs for mitigating loss due to a data breach. And 4 out of 10 of them had no loss mitigation capability at all.
Which of the following loss mitigation techniques have been implemented or conducted within the past 3 years?
Here again, few respondents had established programs for mitigating loss due to a data breach. And 4 out of 10 of them had no loss mitigation capability at all.
As you can see, the numbers illustrate a clear positive correlation. Continued discussion about cyber security and mitigating loss at the highest levels appears to lead organizations to take a far more active role in implementing policies and programs. Beginning those conversations at the c-suite level in an organization is easy to implement and, as we’ve seen from the survey, shows powerful, positive results.
Why don't organizations have a recovery plan in place?
Earlier we said that 55.2% of the organizations we surveyed did NOT have a corporate recovery plan in place to help guide them in case of the loss of confidential, personally identifiable information.
- 34.6%
believe the threat isn’t severe enough to warrant the investment of time and resources.
- 42.9%
don’t have the right expertise in place to develop a plan.
Yet every one of these organizations amasses and stores data – from social security numbers to credit card information – that hackers can sell for substantial profit.
What role does insurance play in managing cyber risk?
We asked organizations whether or not they see insurance as a significant part of their cyber risk management plan:
- 59.2%
More than half of respondents had no cyber liability, network security liability, or confidential information liability insurance policy in place.
- 77.0%
Of those without cyber liability insurance, more than three-quarters had never gotten a quote for cyber liability insurance.
The reasons? They ranged from an inability to afford the additional cost of insurance (12.4%) to not believing the benefits justified the cost (28.0%) to lack of understanding of the coverage (34.8%).
- 13.6%
believed (incorrectly, which was typical) that another policy covered data security and
- 10.4%
stated that internal disagreements on need for such a policy kept them from investing in one.
But, interestingly, only 7.2% said that their IT security and controls were tight enough to not require coverage.
While the majority remains uninsured, the number of those with policies has risen every year we’ve done this survey. This may be because smaller and midsize employers are learning that strong cyber liability insurance products go beyond simply providing insurance.
So which industries, according to our survey, are taking advantage of cyber liability policies and what they can help deliver?
The cost of action versus inaction?
Any organization is vulnerable to a cyber-attack. But small and midsized firms – the ones we surveyed – are especially at risk. They simply don’t have pockets deep enough to sustain the fallout from a data breach.
Corporate reputations can be severely damaged by a cyber-attack. Current customers and clients as well as prospects, vendors, and other business partners will be understandably hesitant to do business with a company that is weathering an attack.Even employee retention and acquisition can be deeply affected.
Yet, according to the survey, nearly 40% have not yet talked with any insurance broker or agency about cyber liability, network security liability, or confidential information liability insurance.
Now is the time to start a conversation.
Everything we’ve learned since we began this survey points to the clear benefits of starting and maintaining regular discussions at the highest levels of any small to midsize organization regarding protection against the eventuality of a cyber-attack or data security incident – as well as the ability to recover should one occur.
To get further information specific to your organization, contact your Marsh & McLennan Agency representative or Dan Hanson at dan.hanson@marshmma.com.
Related Offerings
Business InsuranceYou May Also Be Interested In
- Blog
12.23.2020
Solarwinds Cyber Incident
- Blog
10.19.2020
Client Advisory: Increasing Cyber Risks in the Transportation Industry
- Blog
10.16.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Biotech Industry
- Blog
10.14.2020
Cyber Risk in Our New World
- Blog
10.14.2020
Client Advisory: Dealing with Increasing Cyber Risks in Manufacturing
- Blog
10.12.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Health Care Industry
- Blog
10.09.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Construction Industry
- Event
10.08.2020
Webcast | A Tale of Two Breaches
- Blog
10.07.2020
Cybersecurity: Managing Risk in the COVID-19 Era
- Blog
10.05.2020
Why HR is a Key Stakeholder in Cyber Risk Management
- Blog
10.02.2020
Network Security & Privacy Considerations When Organization Shift from WFH to Office Environment
- Blog
09.30.2020
Elements of Cyber Insurance Coverage
- Blog
09.28.2020
Cyber Security and Privacy Concerns: COVID-19
- Event
09.16.2020
Webinar | Cyber Incident Response
- Event
07.14.2020
Webinar | Cyber Security-The Complex & Inevitable Exposure
- Event
06.25.2020
Webcast | Navigating the Cyber Liability as Organizations Return to the Workplace
- Blog
04.27.2020
Client Advisory: Dealing with increasing retail cyber risks during the COVID-19 crisis
- Blog
01.08.2020
The 2020 Cyber Outlook
- Event
10.15.2019
Webinar | New Cyber Privacy Regulations & Risks Affecting U.S. Businesses
- Blog
10.07.2019
The State of Cyber Security
- Blog
09.03.2019
12 Best Practices to Secure and Protect Passwords
- Blog
03.11.2019
Protect Your Business from these 5 Cybersecurity Risks
- News
12.21.2018
Social Engineering Fraud
- Blog
12.19.2018
Does Your Company Know What To Do After a Cyber-Attack?
- Blog
11.26.2018
Five Critical Risks Impacting Public Sector Organizations Today
- Event
10.25.2018
Framework of a Cyber Breach
- Blog
10.19.2018
IoT-connected Devices Are Increasing Cyber Risk Exposure
- Blog
09.04.2018
15 Best Practices to Protect Your Website From Malware & Cyber-Hacking
- Blog
08.28.2018
Why Manufacturing Companies are Now More Susceptible to Data Breaches
- Blog
06.19.2018
2018 Cyber & Data Security Risk Survey Report
- Blog
05.08.2018
GDPR is Coming. Are You Ready?
- Blog
04.04.2018
Electronic Logging Devices - A Hacker's New Window?
- Blog
10.06.2017
The 4 Myths of IT Data Security
- Blog
09.15.2017
Cyber Breach - Equifax