By Christos Adamantiadis ,
CEO, Marsh McLennan Europe
18/09/2022 · 4 minute read
The scale of risk posed by corporate unpreparedness has been exposed in a new survey from Marsh, a leading global insurance broker and risk advisor, and Microsoft. Based on responses from 660 regional and global cyber risk decision-makers, the report, The Middle East & Africa State of Cyber Resilience, analyses how cyber risk is viewed by various functions and executives in leading organisations, including cybersecurity and IT, risk management and insurance, finance, and executive leadership. Its findings are problematic.
Executives’ confidence in their organisation’s core cyber risk management capabilities – including the ability to understand and assess cyber threats, mitigate and prevent cyber-attacks, and respond to attacks - remains a major concern. Indeed, 60% of respondents stated that they have not even conducted a risk assessment of their vendors or supply chains.
Given the accelerated growth in the complexity and scale of cyber-attacks in the MENA region over the past few years, these findings are particularly troubling. The toll of almost three years of unrelenting workplace disruption, digital transformation, and ransomware attacks does not yet appear to have made a significant impact on the way that business leaders think about risk. This is surprising given the nature of a series of high-profile events.
The UAE alone saw 166,667 victims of cybercrime in the past few years, with a combined loss of US$746 million to businesses. One of the top breaches to hit the UAE targeted a major hospital in Dubai. The attack copied and encrypted 60 GB of internal information, including ID cards, internal memos, and hospital call logs. And pointing toward the scale of ransomware attacks, the XDR company Cybereason released statistics in June 2022 indicating that 77% of UAE organisations suffered at least one ransomware attack over the past 24 months.
Confidence in cyber risk-management remains at relatively low levels, with few organisations expressing high confidence regarding their organisation’s ability to understand and assess cyber threats.
To make things worse, the Marsh and Microsoft report shows that whilst three-quarters (75%) of the surveyed organisations recognised that insurance was an important part of any cyber risk management strategy, a third (37%) of organisations admitted to not having any kind of cyber insurance in place even though it is a key element in managing cyber risk. In contrast, more than half (54%) of those organisations who had procured insurance acknowledged that doing so was accepted best practice within their business sector and had helped them adopt a more stringent and resilient approach to cyber risks.
Successfully countering cyber threats needs to be an enterprise-wide goal – one that builds cyber resilience across the firm, rather than singular investments in incident prevention or cyber defence. Stakeholders from across the organisation must work together to align cyber risk management strategies, ensuring it is a shared responsibility. This means involving risk managers, finance, cybersecurity / IT, and executive leadership, whilst also continuing to invest in employee awareness. Greater cross-enterprise communication can help the region’s businesses bridge the gaps that currently exist, boost confidence, and better inform overall strategic decision-making around cyber threats.
As advised by Marsh, practical risk prevention and mitigation measures include investing and engaging in a broad, balanced, and continuously updated array of resources and activities to mitigate cyber risks and reinforce cyber resilience. Such items include, but are not limited to, cybersecurity technology and talent acquisition, incident response training, penetration testing, vendor/supply chain risk assessments, cyber insurance, and cyber risk advisory services.
Most companies believe the largest barrier to cyber risk mitigation is not having the right employees/talent. Staff training is vital. After all, employees that start up their laptop from home are exposed to increased phishing and social engineering attacks and countering such risks requires enterprise-wide alignment. In fact, remote working tops the list of technologies seen as enabling cyberattacks so cybersecurity awareness training/phishing testing is a worthwhile investment as the price of cyber illiteracy and inaction extracts a heavier toll. HR is a crucial partner in the effort to cultivate and foster a culture of cyber responsibility.
Firms should also engage in cybersecurity effectiveness assessments, to help identify appropriate data and analytics tools, understand the entire cyber threat environment and translate cyber risk into the language of business with actionable insights. This is a proactive – and defensive – approach that is crucial because it is not a question of whether or not an organisation will get attacked but rather a matter of when. Every business, everywhere and no matter their size or sector, must act now to protect themselves, their supply chains and the wider economy.