Confidence in being able to manage cyber risk has not improved in the last two years, according to a new report from Marsh.
The report, The State of Cyber Resilience, questioned over 660 cyber risk decision makers globally and analyses how cyber risk is viewed by various functions and executives in leading organisations, including cybersecurity and IT, risk management and insurance, finance, and executive leadership.
According to the report, leadership confidence in their organisation’s core cyber risk management capabilities – including the ability to understand/assess cyber threats, mitigate/prevent cyber attacks, and manage/respond to cyber attacks – is largely unchanged since 2019, when 19.7% of respondents stated they were highly confident, compared to 19% in 2022.
Sarah Stephens, head of international cyber at Marsh, said: “Given the continued rise of ransomware and the current tumultuous threat landscape, it is not surprising that many organizations do not feel any more confident in their ability to respond to cyber risks now than they were in 2019.”
The report, done in conjunction with Microsoft, made a number of discoveries highlighted eight key trends.
- The alignment of cyber-specific and enterprise-wide goals to build resilience rather than just preventing attacks.
- There are other threats apart from ransomware, including phishing and social engineering, privacy breaches, and business interruption.
- Insurance is an important part of cyber risk management.
- Adopting more cybersecurity controls leads to higher cyber hygiene ratings.
- Organisations lag in measuring risk in financial terms, hurting the ability to communicate cyber threats across the enterprise.
- Increased investment in cyber risk mitigation continues, though spending priorities vary.
- New technology needs to be assessed and monitored continually.
- Firms take many cybersecurity options, but overlook their supply chains.
Writing in the report, Marsh said: “A best practices approach to cyber risk management spans organizational roles. This includes investing and engaging in a broad, balanced, and continuously updated array of resources and activities to mitigate cyber risks and reinforce cyber resilience. However, even the best tools and activities are unlikely to meet their potential if there is not effective communication across the enterprise.”