Your company may have a response plan in place to handle cybersecurity breaches. You may have had professional help in putting your plan together and managing it. But cybersecurity experts still aren’t convinced your organization will be able to effectively implement the plan when an incident occurs.
That was one of the key takeaways of a new survey by Advisen, sponsored by Experian Data Breach Resolution. Advisen polled more than 300 risk managers, data brokers and legal experts to find out which cyberthreats have them most worried. It turns out, that this might not be an external threat, but rather complacency and overconfidence within companies.
The confidence gap
If it’s not worrisome enough that outside cybersecurity experts are concerned about their clients, the survey found a significant gap between what third-party risk experts and internal security professionals think.
Generally, risk managers gave their companies higher ratings than did data brokers and legal experts. Risk managers, on average, gave their employee education programs ratings of 3.36 out of a possible 5, yet data brokers and legal experts ranked their clients well below that — at 2.57 and 2.91, respectively. Further, 72 percent of risk managers thought their network protections are above average, but the majority of outside security experts feel their client’s protections are below average.
What’s more, risk experts weren’t confident in their clients’ ability to navigate a range of security threats, including a breach of personal or financial information due to phishing or social engineering; 80 percent of legal experts and 68 percent of brokers were concerned, versus just 61 percent of risk managers. Additionally, they expressed a concern over their clients’ lack of knowledge about how to best work with vendors and the government to navigate cyber risks.
Overestimating cyber preparedness
Many of the responses from risk professionals at businesses of all sizes indicate they believe they are prepared to respond to a cyber incident. While brokers and legal experts generally agreed larger companies were at least somewhat prepared, they still harbored concerns over mid-size and small businesses. In fact, their confidence in smaller businesses’ ability to respond to a cyber incident was significantly lower.
Risk managers from businesses of all sizes consistently rated their cyber risk practices as more effective than did their trusted advisers. Their confidence in their practices exceeded that of third-party cybersecurity experts in every category, including:
- Staffing of cybersecurity talent
- Purchasing cyber insurance
- Disclosure obligations
- Identifying vulnerabilities
- Response preparedness
- Monitoring and protecting networks
- Identifying exposures
- Managing vendors
- Educating employees
Some good news
It’s important to note that while third-party risk experts and risk managers had varying perceptions of preparedness, they were in agreement on what risks to watch for in the coming year. All cited phishing of personal or financial information as the greatest area of risk. Further, all three recognized ransomware attacks as the area of second-greatest risk.
Risk managers and legal experts were more concerned about vulnerabilities through the Internet of Things than brokers were, while brokers were significantly more worried about transfer of funds to unauthorized recipients through phishing or other tactics.
Finally, all three groups agreed that senior managers are far more aware of cybersecurity risks and involved in security than in previous years. Seventy-seven percent of risk managers said their senior management’s cyber risk concerns closely aligned with the concerns of the IT department and corporate risk management. The same percentage of brokers and 84 percent of legal experts said their clients’ senior managers were in accord with them on cyber incident response.
The full 2017 Cyber Risk Preparedness and Response Survey offers further insight into how well risk managers, brokers and legal experts feel companies are prepared to manage cyber risks. It’s available for free download.