No company — regardless of size or stature — is immune from cyberattack. Given their pervasiveness, it’s no longer enough to have a thorough, carefully constructed plan to mitigate against cyber risk. The thinking “It won’t happen to me because I have a protection plan” doesn’t cut it anymore.
While being able to assess cyber risk and have a protection plan is crucial, there’s an increasing focus within organizations on how to quickly — and successfully — recover and respond in the event of a cyber incident, to be more cyber-resilient.
So where are organizations on their journey and where do they need to improve? To find out the Economist Intelligence Unit asked 452 large-company board members, C-suite executives and directors to rate their organization’s cyber-resilience based on 10 key areas, ranging from cyber risk assessment and response strategies to technology and human capital plans.
The study, sponsored by Willis Towers Watson, found that while all organizations said their cyber-resilience abilities were above average, there were key areas where they were slightly less confident, including:
- Applying lessons learned from past incidents
- The ability to build a cyber-savvy workforce
- Identifying and filling gaps in cyber talent
In fact, when asked about applying lessons learned from past incidents, only 13% said they were well above average and a quarter said they were below average. Bear in mind that among all of the companies surveyed, one-third had experienced a devastating cyberattack within the last year — one that disrupted business operations, impaired financials and damaged reputations. A majority of those respondents place high odds on the occurrence of another incident.
Clearly, it’s time for a different approach, and soon. So, what can organizations do to make themselves more cyber-resilient?
Education and board buy-in are key
Continued understanding of cyber threats, the risks involved and business impact is the first step, and it starts with the most influential members of your organization — the board of directors.
Given the board is responsible for governance and oversight of risks that affect the entire enterprise, the development of a strategic framework should fall under their purview.
While board members may not be cyber experts, it’s their knowledge, expertise and general understanding of risk management, coupled with their stewardship and governance that are more essential for leading a cyber-resilient organization. The technical aspects are important, and should be discussed with the board, early and often, so they understand the risks the organization might face, and can develop a strategy to help protect against them.
In addition to more familiar risk assessments, a big part of that strategy should include addressing the human element of cyber risk. Findings from last year’s Cyber Risk Survey Report confirmed that the biggest threat to cybersecurity remains a company’s workforce and two-thirds of cyber breaches are caused, or enabled by, employee negligence or malfeasance. Organizations can drive a cyber-savvy workforce by:
- Uncovering vulnerabilities in the culture
- Educating employees on cyber threats and risks
- Establishing ongoing innovative training programs and implementing sound cyber-related HR policies.
Additionally, being proactive in designing and executing a plan to address the cybersecurity war for talent ensures that the organization is prepared to respond quickly in the event of an incident.
The bottom line
Our survey shows that companies are confident in their ability to respond to cyberattacks, but there’s room for improvement. What’s clear is that as technological advances are made, the cyber threat landscape will continue to evolve, spurring board members and executives to rethink how to improve cyber-resilience across the organization. Helping management develop a strategy to mitigate cyber risk, applying lessons learned and empowering a corporate culture are all essential elements to address on the journey to cyber-resiliency.