Control Risks study: Cyber threats overwhelm boards of directors
According to a recent study on cyber security by global risk management consultancy Control Risks, many executives feel overwhelmed in the face of cyber threats. This is despite the fact that 77 % of respondents consider members of senior management to be primarily responsible for cyber security management in their company.
Control Risks' global survey of executives and IT decision-makers found that nearly half of respondents believe their company's senior leadership does not take cyber risk seriously enough. This is despite the fact that 77 % of respondents consider members of senior management to be primarily responsible for cyber security management in their organisation - rather than the traditionally responsible IT department.
Just over 31 % of respondents also said they were very or extremely concerned that their business could fall victim to a cyber-attack over the next year. However, a third (34 %) of businesses had no crisis management plan in place in the event of a cyber-attack. Given the most severe malware attack to date on May 12, 2017, the WannaCry ransomware attack, which affected 150 countries in less than 12 hours, this lack of preparation is surprising.
Key findings of the study:
- Companies struggle with a risk-based approach:
Although more and more companies have now realised that the
Compliance with minimum regulatory requirements not sufficient
and want to work harder to reduce the risks of a cyber attack.
actually reduce, almost half (45 %) see the
Identification, analysis and reduction of these risks as their
greatest challenge.
- Infringements by third parties cause
increasingly concerned: just over a third (35 %) of respondents said,
your company had already worked in the past with
Security vulnerabilities due to third parties to contend with. While
9 out of 10 respondents (93 %) took steps to
Review cyber security measures of their third parties. This
53 % were, however, limited to purely contractual matters.
Clauses.
- Cyber attacks have severe long-term effects: 4 out of
10 respondents said a cyber-attack had already led to the misuse of
sensitive or confidential information (43 %), or
led to the loss of customer data (41 %).
Harald Nikutta, Senior Partner at Control Risks Germany, comments:
"Cyber security is still often seen as a purely technical challenge rather than an overarching business risk. As our survey shows, this limited view can be
This viewpoint can cause many companies considerable concern in the long term. We recommend taking as comprehensive a view as possible with reference to concrete threats to the respective company. The way in which cyber risks are identified, assessed and communicated within the company is of central importance.
It is important that companies understand the potential consequences of cyber risks in their particular case. Only then can these be considered in a risk management strategy and backed up with effective measures."
Companies need to ensure that cyber security is an integral part of the boardroom agenda - including reviewing the external cyber threat landscape in collaboration with IT. In addition, companies benefit from regular crisis management exercises for all relevant parties, including the boardroom, IT, legal, communications and all other members of the crisis management team. These exercises ensure that all parties know their roles and responsibilities and are aware of the potential consequences of cyber-attacks.
