Introduction: The Gap Between Perception and Understanding of Cyber Risk
Digital technology, which has made it possible for organizations to amass vast stores of data, has also made it possible for unseen attackers to gain access to that data – stealing it, rendering it unusable, holding it electronically for ransom or doing other harm. The term “cyber-attack” only appeared in 1996; by 2017, one study estimated that a typical firm experiences 130 security breaches each year.
Marsh & McLennan Agency surveyed 1,141 executives from small to middle-market organizations across North America, and found that they are clearly concerned about cyber risk – but, by their own admission, they do not have a grasp of how to protect themselves.
Look at these conflicting responses:
On the one hand:
- Almost 60% said they consider cyber to be one of the top five risks they face, if not the very first (see Figure 1).
- 78% said they were highly or at least fairly confident that their organization would be able to manage and respond to a cyber-attack.
- And 82% said they were highly or at least fairly confident that their organization would be able to understand and assess a cyber-attack.
On the other hand:
- Only 18% said they had developed a cyber incident response plan.
- 34% said they had conducted a cybersecurity gap assessment.
- 36% said they had implemented a plan to train employees to recognize phishing emails.
- And 23% said they had conducted penetration testing of their online defenses.
The disparity is considerable. Executives are clearly worried about cyber risk, but admit they do not understand the range of protective steps available to them. Notably, when senior executives were asked if their organizations carried cyber insurance, more than a third said they did not even know. We will go into greater detail on the pages that follow.
Background on the Marsh & McLennan Agency Survey
The survey covered a wide range of organizations, geographies, economic sectors and job functions. Just under 53% of the respondents came from organizations with less than US$10 million in annual revenue, and 26% reported US$10-50 million in annual revenue. The other 21% ranged from US$50 million to more than US$5 billion annually. Half (49.8%) had fewer than 50 employees, 28% had 50 to 250 employees, and 22% had 250 or more. The responses were geographically diverse across North America, with the largest concentrations in California, Michigan, Florida and Massachusetts. Professional services, healthcare, construction and manufacturing each represented between 10 and 15 percent of the survey group. Another 10% came from nonprofits or other public entities.
More than half the respondents in the survey group (53%) reported they were from the C-suites of their organizations. More than 20% were CEOs, 16% were chief financial officers, and 11% said they were board members. In a separate question, 17% of respondents reported their role was in operations, and 15% came from human resources. The study, begun in summer 2017, was conducted in tandem with the Global Cyber Risk Perception Survey put together by Marsh in partnership with Microsoft.
Figure 1: Among my organization’s risk management priorities, cyber risk is:
We hope that when you read this report, you will see your own concerns reflected, and find it a useful tool in benchmarking your own cybersecurity efforts against those of peer organizations.
Section 1 : A Shortage of Essential Information
Marsh & McLennan Agency asked: What is your organization doing about cyber insurance? A plurality said they had insurance, and were either planning to maintain their current level of coverage or planned to increase it (see Figure 2).
But the single most common answer was: “I do not know.” Some 36% of respondents had not been told what their organizations were spending on cyber risk. The numbers were consistent across functions within organizations, including members of boards of directors.
Figure 2: What is your organization’s status with regard to cyber insurance?
For smaller organizations, such numbers may be easy to explain. If they have finite resources, they need to give priority to immediate issues before they can turn to long-term risks such as cyber. If organizations were large enough to have a chief technology officer, a chief information security officer or an information technology (IT) team, those people had a clearer sense of where they stood – and greater confidence that they could respond to or mitigate a cyber-attack. But small employers were less likely to have staff dedicated to IT.
The numbers were even starker when respondents were asked if cyber insurance met their needs (see Figure 3). Approximately 21% said the cyber insurance available in today’s market “meets all of my organization’s needs.” And very few (4%) said the available coverage did not meet their needs at all. But the majority in this case – 59% – said, “I do not know.”
Figure 3: The cyber insurance available in today’s market:
The responses were consistent across industry sectors, with some variation (see Figure 4). Healthcare and financial services organizations generally showed more confidence in their ability to manage, respond to and recover from a cyber incident. Construction and agriculture were, in the aggregate, less confident.
Figure 4: Please indicate your confidence in your organization's ability to manage, respond to and recover from a cyber incident.
Section 2 : What Concerns You?
Respondents were asked which cyber loss scenarios concerned them the most (see Figure 5). The leading answer (68%) was business interruption, followed by breach of customer information and data or software damage. Reputational damage trailed, though larger organizations generally expressed greater worry about reputational risk than smaller ones.
Figure 5: Which cyber loss scenarios present the greatest potential impact to your organization?
|Breach of Customer Information||57%|
|Data or Software Damage||53%|
When asked what threat actors concerned them in attacks that delivered destructive malware, respondents said by far that they were most worried about financially motivated attacks (see Figure 6). Human or operational error ranked second and third.
Figure 6: With regard to a cyber-attack that delivers destructive malware, which threat actor concerns you the most?
|Financially motivated external threat
(i.e. organized crime, "hactivist" group)
(i.e. employee loses mobile device)
|Third party with authorized access to your IT resources||13%|
|Malicious/rogue employee or contractor||9%|
Section 3: How Do You Measure the Risk You Face?
It is a common saying in business that “You can’t manage what you can’t measure.” In the survey by Marsh & McLennan Agency, most organizations said they did not know how to measure the cyber risk they face. Almost half the respondents (49%) said they had no method to measure or express cyber risk, and another 27% said they did not know if their organization did any measurement (see Figure 7).
Among those who answered affirmatively, only 2% said they estimated their value at risk in economic terms, recommended by risk managers as the most robust way to understand cyber threats. Just under a quarter of respondents said they estimated their risk qualitatively, either by using terms such as “high,” “medium” and “low” (11%) or without categories or rankings (another 11%).
Figure 7: How does your organization measure or express its cyber risk exposure?
Perhaps that explains why so few members of the survey group (18%) said their organizations had developed cyber incident response plans. If they had not, 20% said their organization lacked the expertise, and 14% said a plan was not an organizational priority.
Another 17% said they believed their cybersecurity was adequate to prevent breaches. They may be overconfident: While there are many excellent products and processes for protecting against cyber-attack, the threat landscape is rapidly and continuously evolving, and even the best defenses can never be perfect. Cyber is a business risk to be managed, not just a technological threat that can necessarily be stopped.
Section 4: Small & Middle Market Employers are at Risk
The reality is that regardless of size, large organizations and small ones are exposed substantially to the same cyber risks. If anything, small and middle-market organizations are more vulnerable because they have fewer resources to devote to cybersecurity, and cyber-attackers know that. Half of the 28 million small businesses in the United States suffered security breaches in 2016, according to one survey. Many more were probably victims of successful attacks, but never knew that unseen parties were mining their data.
A small organization can offer attackers as many possible ways of penetration as a large one. Here are some numbers from the Marsh & McLennan Agency survey of small and middle-market employers, and from the Marsh survey of large employers, showing the vulnerabilities respondents reported they had. The surveys asked the questions the same way, so the results are comparable:
|Have one or more computers connected to the internet||95%||94%|
|Hold past or present client and/or customer information electronically||75%||82%|
|Process/access banking information electronically||76%||76%|
|Hold past or present employee records electronically||61%||82%|
|Hold supplier information electronically||49%||76%|
|Use cloud services||59%||68%|
|Process credit card transactions electronically||50%||42%|
One way in which organizations varied by size was in the steps they took to protect themselves. In general, the larger the organization, the more proactive it was:
STEPS TAKEN TO ADDRESS CYBER RISK
|ASSESS & ANALYZE|
|Conducted a cybersecurity gap assessment||34%||51%|
|Benchmarked cyber risks against peer organizations and/or our industry||12%||25%|
|Modeled potential cyber loss scenarios||11%||23%|
|SECURE & INSURE|
|Encrypted organizational desktop and laptop computers||38%||44%|
|Required multi-factor authentication for remote access to our private network||33%||41%|
|Reduced external system connectivity||34%||31%|
|Implemented a data loss prevention solution||26%||35%|
|Conducted penetration testing||23%||40%|
|Improved vulnerability and patch management||30%||46%|
|Increased cyber risk insurance limits of liability||19%||17%|
|Restructured cyber insurance and/or purchased different coverages||12%||15%|
|RESPOND & RECOVER|
|Made tangible improvements to cyber event detection||28%||35%|
|Implemented/enhanced phishing awareness training for employees||36%||54%|
|Developed a cyber incident response plan||18%||30%|
|Identified external legal support, PR, and/or cybersecurity experts to provide support services during a cyber incident||16%||21%|
|I do not know||20%||11%|
The conclusion to be drawn from these two sets of numbers is that while small and middle-market organizations generally have fewer resources to devote to cybersecurity, their vulnerability to attack is still substantially what it is for organizations with annual revenues of more than USU$5 billion. Large organizations are more visible when they suffer a data breach, but smaller organizations, in our experience, suffer breaches as frequently.
Section 5: Solutions and Recommendations
Cyber risk is a dark, shadowy area, and, clearly, it is a difficult one for many of the organizations included in the Marsh & McLennan Agency survey. Respondents say they are concerned about cybersecurity, but often lack the knowledge or the means to take protective action.
But the survey also shows that companies and organizations of many sizes are discussing the issue and finding solutions appropriate to their needs.
The clearest reflection of this in the survey was that when organizations reported they had taken steps to protect themselves, they said they were satisfied with the results.
Organizations that have insurance said they plan to keep it. Of the entire survey group of 1,141 respondents (see Figure 8), only three said they planned to decrease the number or types of cyber risks covered, and only one planned to decrease its coverage limits. Not one respondent – zero – said it would discontinue its cyber insurance coverage.
Figure 8: What is your organization's status with regard to cyber insurance?
If respondents said they had insurance and planned to maintain or increase their coverage levels, we asked what drove their decisions. The single largest response (35%) was that it was part of a cyber risk management plan; 30% said they were prompted by cyber-attacks on other companies, and 10% said they had experienced cyber incidents themselves (see Figure 9).
Figure 9: What is the driver behind your organization’s decision to purchase or increase its cyber insurance? [Select all that apply]
One further point: Organizations that took steps to protect themselves were also more confident of their ability to handle cyber risk (see Figure 10). This was consistently true across industry sectors and organizational size.
Figure 10: There is a correlation between respondents’ confidence levels and the protective measures their organizations took to manage cyber risk:
We began with the observation that while a majority in the Marsh & McLennan Agency survey regard cyber as a top-five risk, very few say they have acted on their concern. Substantial numbers said they did not know, or could not agree internally upon, appropriate steps to protect their organizations from the risk of cyber-attack. There were some respondents who said cyber was not an organizational priority for them, but they were a minority. At the other end of the spectrum were other respondents who had comprehensive cyber incident response plans; they were a minority as well.
But an important theme that emerges from the survey responses is that once organizations have taken steps to mitigate cyber risk, they are clearly more confident of their ability to understand, respond to, and recover from all-but-inevitable cyber-attacks. That helps them move on comfortably to business growth, execution of their organizational mission and other top priorities.
It is therefore important for organizations to understand cyber risk and what they can do about it. Understanding leads to action, which leads to greater security, reduced risk of attack, and reduced fear of the effects.
The time to have a conversation is now. All too often, the discussion of cybersecurity does not begin until after a successful attack, which is too late.
If you would like to read more about organizational responses to cyber risk, Marsh and Microsoft partnered to produce “By the Numbers: Global Cyber Risk Perception Survey.” It shows, among other things, the value of a comprehensive approach to cybersecurity.
We thank the many people who responded to the survey questions, and we encourage you to contact us with questions and ideas.