Guarding the Gates: Empowering Risk Managers to Confront Cyber Threats in the Boardroom

New Data Shows Diminishing Focus on Cyber Defence in the Boardroom

The Rising Threat of Cybercrime

According to the specialist insurer Beazley’s latest Risk & Resilience report, the boardroom focus on cyber risk is waning, despite evidence that cyber attacks are on the rise. This is a cause for concern as the economic impact of cybercrime on businesses worldwide is predicted to reach a staggering US$10.5 trillion by 2025, a significant increase of 300% since 2015.

The report highlights that the perceived threat of cyber risk among global business leaders has decreased from 34% in 2021 to just 27% in the past two years. Furthermore, it is predicted to remain at 27% in 2024, indicating a decline in business preparedness for this risk. This decrease in concern is accompanied by a fragmentation of the technological risk landscape, with executives showing nearly equal levels of concern about disruptive new technologies, such as Artificial Intelligence (AI).

The report also reveals a shift in business leaders’ focus towards other concerns, such as the risk of theft of intellectual property (IP). In 2023, 24% of business leaders ranked IP theft as their top risk, double the percentage from 2021. Alarmingly, more than a fifth (21%) of businesses feel they cannot keep pace with technological advancements, indicating a declining resilience to this evolving threat.

The Implications for Risk Managers

The declining interest from boards in cyber risk should be a cause for alarm for risk managers. After a relatively quiet end to 2022, there has been a rise in the frequency of global cyber-attacks in Q1 2023, with notable increases in incidents month-to-month. Cybercriminal organizations are taking advantage of new technologies, such as AI, to enhance the credibility of spear phishing attacks.

As cybercriminals become more sophisticated, risk managers may experience an uptick in the severity and frequency of attacks on their organizations. However, the data shows that C-suite concerns around the cyber threat are dropping, while their perceived resilience to this threat has fallen to 74% from 80% last year. This suggests that cyber risk fatigue may be causing a risk blind spot for some businesses or that they are being distracted by other risks on their radar.

Minimizing, Mitigating, and Transferring Cyber Threats

Risk managers can take several steps to minimize, mitigate, or transfer cyber threats. One essential measure is to maintain good basic security hygiene. This includes securing what is exposed to the internet, enabling multi-factor authentication, and building web applications with security in mind. Running penetration testing to identify weaknesses before threat actors do is also recommended.

Cloud environments require special attention, as configuration mistakes can have catastrophic consequences. Quick patching remains key in protecting against newly discovered vulnerabilities, as threat actors often exploit them within minutes of disclosure. Adopting a ‘Defence in Depth’ strategy, which sets up multiple layers of defense against potential attacks, is highly recommended. This approach acknowledges the likelihood of a breach and implements controls to limit its impact.

A Defence in Depth strategy includes installing security patches promptly, limiting users’ permissions and access to role-based needs, having a hardened security configuration of systems and applications, and minimizing network connections. Automatic detection and response capabilities, such as Endpoint Detection and Response, should also be in place. Incident response and disaster recovery plans should be developed and regularly tested, and secure backup systems that resist ransomware attacks are vital.

Staying Vigilant

Although some businesses may have experienced a brief decline in cyber activity due to the war in Ukraine, risk managers must not be lulled into a false sense of security. It is crucial to remain vigilant and constantly review infrastructure to identify and address vulnerabilities.

While it is encouraging that more than a third of businesses plan to invest in cybersecurity this year, risk managers should not overlook the importance of maintaining a focus on cyber risks. The rising tide of cyber-attacks and incidents demands continuous improvement and adaptation to effectively manage the evolving threat landscape.