Cyberattack: Are Lessons Learned from Past Disasters Good Enough?
A global study conducted by the Economist Intelligence Unit (EIU) and sponsored by Willis Towers Watson, reveals that leaders remain skeptical about the actual implementation of corrective solutions following a cyberattack.
According to the results of the recent survey conducted by Willis Towers Watson’s The Economist Intelligence Unit (EIU) on cyber risks, the vast majority of executives around the world believe that their companies did not learn enough lessons from the past. EIU surveyed more than 450 companies around the world about their applied strategies and the challenges faced in developing “cyber resilient” organizations. On the one hand, most companies consider themselves reactive and effective in responding to a cyber disaster. On the other hand, only 13% of them say they really perform well, because they take into account the lessons learned from past incidents in their cyber-resilience strategies.
The survey also revealed that administrators and managers rarely agree on cyber risk responses. How to make the organization cyber-resilient? With which funds for finance investments? What are the most risky business entities?
The vision of what cyber risk preparedness is also varies by geography. North American companies stand in sharp contrast to their Asian counterparts and, to a certain extent, Europe. They have a different understanding of the frequency and impact of cyber-attacks and are more confident in their ability to overcome an intrusion into their system.
- Among the other key findings of the report, corporate cyber resilience spending represents approximately 1.7% of their revenues and 96% of board members consider this amount to be insufficient.
- North American companies spend the most on cyber risks (2 to 3% of revenues versus 1 to 2%, or less, for other regions).
- No cyber-protection solution stands out from the others.
- Investments in cyber-defense technologies and the recruitment of specific IT skills score similarly.
- Three out of four regions believe that the supervision of cyber risk should be entrusted to the “Board of Directors as a whole”. Only Europe distinguishes itself by entrusting this responsibility to a team dedicated to this risk.
For Anthony Dagostino, Global Head of Cyber Business at Willis Towers Watson, “It’s important for companies to understand that cyber risk is not an option. The management of this threat is still too limited to certain roles while it is the responsibility of everyone. The board should highlight the need to have a formal framework to counter the cyber threat and business leaders should implement this framework by involving all parties…”
Guillaume Deschamps, Director of Financial Lines (FINEX) in France, adds: “Companies need risk management that is much more integrated than it is today. While technology will continue to play a crucial role in corporate defense, let’s not forget that more than half of the intrusions are due to poor employee reflexes and lack of skills in the teams in charge of cyber protection. That’s why companies need to make investments in raising awareness of their human capital and underwriting cyber insurance contracts on the agenda of their Board of Directors. ”
