Back
There are lessons for local government in a new global cyber-risk report from Marsh and Microsoft.
Only 41% of organisations engage legal, corporate planning, finance, operations, or supply chain management in making cyber-risk plans, finds a new report from Marsh and Microsoft.
The State of Cyber Resilience, June 2022, report is the third such collaboration between Marsh and Microsoft and highlights key cyber-risk trends alongside how to build a cyber-resilient team.
It's clear that almost three years of unrelenting workplace disruption, digital transformation, and ransomware attacks has taken its toll. Globally most leaders are no more confident in their ability to manage cyber-risk than they were two years ago.
One thing holding back confidence is that most companies have not adopted an enterprise-wide approach to cyber risk. For many organisations cyber-security still sits within the responsibility of IT.
While functions across the organisation have common interests around cyber-risks, the research found that they often act independently, missing the potential benefits that an enterprise-wide approach offers.
Top eight cyber-risk trends
- 73% of companies had experienced a cyberattack. Cyber-specific enterprise-wide goals should be aligned to building cyber-resilience versus simply preventing incidents, as every organisation can expect a cyberattack.
- Ransomware is the top cyber-threat faced by companies, but not the only one. Other prevalent threats include phishing/social engineering, privacy breaches, and business interruption due to an external supplier being attacked.
- Risk transfer (e.g via the Scheme) is an important part of cyber risk management strategy, and influences the adoption of best practices and controls. 61% said their company buys some type of cyber insurance coverage.
- Only 3% of respondents rated their cyber-hygiene as 'excellent'. Adoption of more cybersecurity controls leads to higher cyber-hygiene ratings.
- Organisations lag in measuring cyber-risk in financial terms, which hurts their ability to effectively communicate cyber-threats across the enterprise. Just 26% of respondents said their organisation uses financial measures for cyber-risk.
- Increased investment in cyber-risk mitigation continues, though spending priorities vary across the enterprise. 64% said experiencing a cyber-attack led to an increase in cyber-risk investment.
- New technologies need to be assessed and monitored on a continuous basis, not just during exploration and testing prior to adoption. 54% of companies said they do not extend risk assessments of new technologies beyond implementation.
- Vendors /digital supply chain overlooked by organisations when they take cybersecurity actions. Only 43% have conducted a risk assessment of their vendor/supply chain.
Building a resilient team for your local government
It's important to understand how professionals across an organisation view their role when it comes to cyber protection, cyber-incident management, cybersecurity tools and services, and more.
Consider the following questions within the context of your local government and various officers in regards to cyber - Do they consider their function to be the decision maker? To be part of the overall team, with inputs into the decisions? Or are they not involved at all?
The answers will go a long way in determining the next steps your local government needs to take to develop organisation-wide cyber-resilience.
The research found that the level of involvement in various areas of cyber-risk management is a mishmash of roles and responsibilities.
While responses reflected a widespread desire to increase spending on cyber-risk, exactly where the investments should be made varies by function. Role clarity and clear authority for decision making is vital is to help organisations maximise the efficiency of those investments.
Support for LGIS members
LGIS will be piloting a cyber-risk program in 2022 designed to help members better understand their exposure and develop targeted plans to address them. Places for the pilot will be limited, but talk to your account manager if you're interested in getting involved.