The vast majority of executives around the world feel that their organizations aren’t learning resilience lessons in the face of cyberattacks, new research reveals.
While most companies feel they are doing well when it comes to incident response, just 13% say they are doing better than average in incorporating lessons from cyber incidents into their resilience strategies, a study by The Economist Intelligence Unit (EIU) and Willis Towers Watson has found.
The survey, which polled more than 450 companies globally about their strategies and challenges in building a cyber-resilient organization, found little consensus on cyber-resilience planning, with boards and executives differing on where to allocate funds and what areas of their organization were most at risk.
The average corporate resilience spend is currently about 1.7% of revenue – which 96% of board members believe isn’t enough – with North America spending the highest on cyber resilience as a percent of revenue at 2-3%. Other regions spent 1-2% or less, the report revealed.
Perspectives on who should take responsibility for cyber risk also varied: Three out of four global regions believed that the “board as a whole” should oversee cyber risk, while Europe said the responsibility should fall to a dedicated cyber group.
“It’s important for companies to understand that achieving cyber resiliency is a company-wide imperative, one that shouldn’t be sequestered to certain roles or functions,” said Anthony Dagostino, global head of cyber risk for Willis Towers Watson.
“Boards should emphasize the need for a strategic framework, and the C-suite should set the tone within their organizations by empowering stakeholders, such as IT, risk, HR, legal and compliance to drive an integrated risk management and resiliency strategy.
“While technology will remain a crucial defense, more than half of cyber incidents are attributable to employee behavior and talent deficits in cyber roles, so investing in other areas such as human capital solutions and cyber insurance have to become part of regular board and C-suite conversations.”