The more senior executives know about cyber risks, the less confident they are in their companies’ ability to protect themselves against an attack.
Lloyd’s, the British insurance market, surveyed 588 C-suite and board-level executives around the world this spring about cyber risk as one of 50 categories of business risks. It found, as presented in the Lloyd’s Risk Index 2013, a sharp drop since the previous report in 2011 in how well prepared companies feel they are to guard against cyber risk. In the new study, only 46% of executives said their companies are better prepared now than they were two years ago—way down from the 70% who said so in the 2011 report.
This steep drop comes at the same time as executives rate online security threats as a far graver danger than they did in 2011. In that earlier report, cyber risk was split in two, and executives rated it No. 12 on their list of business risks for malicious cyber threats and No. 19 for non-malicious risks. The new report merged these two types into a single category of cyber risk, which soared to No. 3 out of the 50 on the list. (The top five risks, in order, were high taxation, loss of customers or cancelled orders, cyber risk, price of material inputs and excessively strict regulation.)
The report cites a series of high-profile attacks as a key factor driving cyber crime up the worry list of top executives: “2012 saw the takedown of the Interpol, CIA and Boeing websites, the suspension of alternative currency Bitcoin’s trading floor, the mass theft of passwords from professional networking site LinkedIn, the outage of the websites of six major U.S. banks and many more.”
The previous surveys in 2009 and 2011 revealed that businesses were underestimating the frequency and impact of cyber breaches, contends the new report. With the new survey, “it appears that businesses across the world have encountered a partial reality check about the degree of cyber risk.”
The report has a key piece of advice for business leaders who are now properly worried about cyber threats: look first inside your company. It cites an April report by the Insurance Information Institute that concluded that employee negligence is responsible for 39% of data breaches, system glitches for 24% and malicious or criminal attacks for 37%. “That leaves nearly two-thirds of incidents caused by issues which should reasonably be within a business’s control,” concludes the report.