Survey: Senior executives not confident in cyber protection

While company executives are aware of cybersecurity's importance, few are confident in their ability to prevent a potential cyber attack, according to research by Marsh and Microsoft.
By Gregory Hale, ISSSource April 19, 2018

Few organizations are highly confident in their ability to manage the risk of a cyber attack even though it is a major priority, according to a survey conducted by Marsh and Microsoft. In the global survey of more than 1,300 senior executives, two-thirds ranked cybersecurity among their organizations’ top five risk management priorities—approximately double the response to a similar question Marsh asked in 2016.

The survey also found 75% of respondents identified business interruption as the cyber loss scenario with the greatest potential to impact their organization. This compares to 55 percent who cited breach of customer information, which has historically been the focus for organizations.

Despite this growing awareness and rising concern, 19% of respondents said they are highly confident in their organization’s ability to mitigate and respond to a cyber event. On top of that, 30% said they have developed a plan to respond to cyber attacks.

“Cyber risk is an escalating management priority as the use of technology in business increases and the threat environment gets more complex,” said John Drzik, president Global Risk and Digital, Marsh. “It’s time for organizations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer.”

An important step toward this goal is risk quantification. According to the survey, under 50% of respondents said their organization estimates financial losses from a potential cyber event and, of those that do, only 11% make their estimates in economic terms. Such calculations are a key step in helping boards and others develop strategic plans and investment decisions, including those related to cyber insurance purchase, the report found.

Responsibility for cyber risk management continues to lie primarily with the IT department, with inconsistent involvement of other stakeholders across the enterprise. According to the survey, 70% of respondents pointed to IT as a primary owner and decision-maker for cyber risk management, compared to 37% who cited the president/chief executive or the board of directors, and 32% who cited the risk management function.

“While technology is the foundation of any good cybersecurity strategy, companies can benefit from investing in non-technology solutions like risk management as part of a holistic approach,” said Matt Penarczyk, vice president and deputy general counsel, Microsoft. “Through advanced technology, tools and training, for example, companies can better protect the data in their networks and be ready for the business interruptions and reputational risks associated with cyber attacks.”

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.