Balancing risk and opportunity through better decisions
Insurance brokerage and risk advisors, Aon’s 2021 Cyber Security Risk Report
Cyber risk runs deep. Now more than ever, global business leaders are finding themselves under increasing pressure. Revenues are down, budgets are constrained, and the continuous rush to transform has organisations playing catch-up in the cyber security game.
It is a balancing act between risk and opportunity, and organisations are constantly asking
themselves: How can we make informed decisions around our cyber budget to support changing business models – while protecting our people, clients, partners, and our balance sheet?
To answer this question, we identified four key cyber risk themes that are prominent today. Each theme was mapped against cyber security controls to determine performance trends across organisations using insights from Aon’s Cyber Quotient Evaluation (CyQu) risk assessment. The identified trends were based on self-reported data received globally from 996 organisations, representing 20 industry groups.
Overall, the global CyQu data reveals that cyber security risk management practices and technologies are not formulated, and that risk is being addressed in a predominantly reactive manner. As a case in point, only two in five organisations report that they are prepared to navigate new exposures arising from rapid digital evolution. More alarmingly, only 17% of organisations report having adequate application security measures in place, and just 21% of organisations have baseline measures in place to oversee critical suppliers and vendors. This is concerning following the recent SolarWinds and Accellion breaches, which illustrate the vulnerability of third-party networks.
Cyber risk 2021: From digital evolution to regulation
Following is a snapshot of findings in Aon’s 2021 Cyber Security Risk Report across the four key 2021 cyber risk themes:
- Navigate new exposures: Rapid digital evolution – In 2020, any thought of a paced and strategic digital agenda was tossed aside in favour of survival. CyQu data revealed that organisations are challenged to navigate this new environment. Only 40% of organisations report having adequate remote work strategies to manage this risk, and only 17% report having adequate application security measures in place. Digital evolution is constant, and organisations are called on to weigh the projected benefits of a digital agenda against the cyber risk introduced.
- Know your partners: Third-party risk – This year, organisations will evaluate the cyber risks arising from their supply chains in new ways and with heightened concern. It takes just one undefended back door to compromise business viability. CyQu data tells us that organisations are not nearly ready to assess and manage third-party risks. An alarmingly low 21%, or one in five, organisations report having baseline measures in place to oversee critical suppliers and vendors. However, findings suggest that physical security strategies are better managed.
- Concentrate on controls: Ransomware – The number and variety of ransomware attacks exploded in 2020. Seven in ten attacks involved the threat to leak exfiltrated data, and some variants threatened to auction stolen data. Insurers are taking note, and 62% cite access control as a critical topic. CyQu data revealed that many organisations hover close to only being at an initial stage of risk maturity and are failing to concentrate on the right controls. Only 31% of organisations report having adequate business resilience measures in place, a red flag as ransomware poses a business interruption risk.
- Perfect the basics: Regulation – The rapid changes forced by COVID-19 only served to broaden pre-existing compliance gaps, and potentially generated new ones. Entering 2021, change is underway and more restrictive data protection laws such as the California Privacy Rights Act (CPRA), and Thailand’s Personal Data Protection Act (PDPA), are taking effect. Organisations must be mindful. Compliance does not equate to security; the standards just set the baseline. CyQu data tells us that organisations have yet to perfect the basics, with less than two in five (36%) reporting to have adequate levels of data security preparedness.
Cyber risk preparedness: How does your industry stack up?
CyQu data demonstrates that organisations across revenue bands, industries, and regions are performing under baseline when it comes to managing cyber risk. As to be expected, the industries that are historically viewed as data aggregators – financial institutions and technology, media and telecommunications – perform higher than the global industry average across the four identified cyber risk themes. However, no one industry has achieved a level of maturity in which cyber security risk management is entrenched throughout the majority of the organisation.
The opportunity: Making better decisions informed by data
How do organisations become more prepared and protected? In addition to concentrating on the security control areas identified across the four key cyber risk themes, below is a blueprint to help organisations ask the right questions.
- What is the state of our security and controls, in particular as they apply to digital evolution, third-party risk, ransomware, and regulatory risk?
- What are the most important assets we need to protect?
- What are the most likely threats?
- How do we balance business needs with cyber risks?
- Do we know the type and materiality of our potential losses? For ransomware, do we know this beyond risk of data encryption?
- Do we understand key regulatory requirements and costs associated with non-compliance?
- How are we making security investment decisions?
- Can we measure the effectiveness of our current risk management and insurance, in terms of Total Cost of Risk (TCOR)?
- Do we understand our exposures?
- Do we have an effective strategy to mitigate loss?
- Should we transfer a portion of our risk to the insurance market, or consider alternative risk transfer strategies?
Incident response readiness
- Do we have an appropriate, usable incident response plan? If yes, is the response team trained and ready to act?
- Do we have the right security and forensic tools, processes and procedures?
- Have we properly configured our cyber security technology?
- Can we quickly and effectively respond to an incident?
New cyber risk exposures are emerging daily. Artificial Intelligence (AI), alternative payments, retirement plans, and technology supply chains are just a few notable and imminent risks. Vigilance and education are essential. We encourage you to explore the full 2021 Cyber Security Risk Report to help your organisation evaluate its cyber risk maturity, to make better enterprise risk decisions.
Explore: Aon’s 2021 Cyber Security Risk Report