In May 2017, the world experienced an unprecedented ransomware attack called WannaCry. The scale and the rapid spread of the ransomware made the attack the largest of its kind ever.
The WannaCry ransomware infection caused $8bn in economic damage in more than 100 countries, while the NotPetya attack a month later cost an estimated $850m including disruption to the global operations of Merck, shipping giant A.P. Moller-Maersk, which estimated its own total cost of addressing the attack would be in the $200-$300m range, and FedEx, which analysts forecast could see its earnings eroded by somewhere between 50 cents to $1 per share.
These cyberattacks were a wakeup call to many, highlighting the potentially widespread impact of a single cyber vulnerability and demonstrated the consequences of not taking cybersecurity seriously. Many organisations still rely on out of date security solutions and haven’t invested in security precautions. Few treat cyber as a strategic business risk.
To better understand how organisations are responding to threats from cyberattacks and breaches JLT Specialty sponsored a survey by Harvard Business Review Analytic Services. Harvard Business Review Analytic Services surveyed 278 corporate executives from a wide range of industries, roughly evenly split between large organisations with 10,000 or more employees and those with fewer. In addition, one-to-one interviews were conducted with a group of industry-specific thought leaders.
Cyber risk is evolving faster than many people realise
Overwhelmingly, 85 percent of survey respondents expected the financial impact of cyberattacks and breaches to rise in the next one or two years. Cyber risk is evolving faster than many people realise. These cyberattacks and breaches are a threat to daily operations, future profits, relationships and reputation. More than three-quarters mentioned reputational damage (79 percent) and disruption of business operations (75 percent) as significant or very significant risks, followed by increased legal and regulatory costs (60 percent), lost business and/or investment opportunities (58 percent) and risk convergence and cascading effects (57 percent). Any and all of these consequences could have a negative effect on the company’s earning and share price.
Organisations are making progress in spreading awareness of cybersecurity among their employees, according to the Harvard Business Review Analytic Services survey. More than two-thirds of respondents include all employees in cybersecurity training and 37 percent conduct ongoing, staff-wide cybersecurity training. To be successful against cyber risks, organisations need to have a strategic, cohesive, clear and collaborative strategy. There needs to be a culture of cybersecurity from the top down and across an organisation.
Most organisations don’t have this view and the survey confirms this. These findings show only 23 percent of respondents have a formal strategic plan to address business risks from cyberattacks. In addition, only 21 percent of respondents’ organisations have defined cybersecurity as an area of business risk and incorporated into their vision and risk appetite statements.
The study shows a minority of companies are actually prepared for cyber events, only 26 percent of the respondents said their organisations are well prepared for an attack or breach. The survey findings suggest that many organisations still regard cybersecurity as a discrete problem to be delegated to IT specialist and compliance executives. This must change. As reliance on digital technology continues to grow, businesses will only see their vulnerability increase.
It is our hope that this research will be a starting point for organisations to redefine cyber as a strategic business risk and begin to approach cyber risks differently, and to maximise opportunities to mitigate this growing threat.