A survey on Enterprise-wide Cyber Risk Management Practices was released this month by Zurich Financial Services Group (Zurich). The report, entitled A New Era In Information Security and Cyber Liability Risk Management, revealed some really interesting findings on information security and cyber risks across a broad array of industries.
The survey disclosed that the vast majority of risk professionals recognise that information security and other cyber risks are at least a moderate threat to their organisations. Most of the respondents say that cyber exposures are the focus of specific risk management activities within their organisations. Companies are seen choosing different levels of addressing these risks. A growing number of organisations are adopting an enterprise-wide approach to information security and cyber risk management. The report also states that only about one third of organisations currently purchase insurance as a part of their cyber risk management strategy.
The majority of survey respondents acknowledged that is the responsibility of the entire organisation to mitigate risks. Although information security and cyber risk management was recognised as an enterprise-wide responsibility by many respondents, the IT department is still recognised as the front line defence against information losses and other cyber-related risks.
Nowadays, every business, regardless of maturity, size or industry, faces a wide variety of risk. Such risks come in many forms, including market risks, financial risks and legal risks. Cyber risks are one of the most challenging when it comes to risk associated with information and information systems. Every organisation today faces cyber risks:, ranging from the loss of information on a single device to the disruption of its entire business operations caused by a data centre outage. Businesses must also be aware that the cyber risks they face are constantly changing.
It is the responsibility of every business to understand and address these risks by complying with regulations and implementing information security management systems (ISMSs).
Risks can be accepted, mitigated or transferred, but they should never be ignored
Before this stage however, organisations must carry out risk assessment to be able to determine what risks are likely to affect their information security systems.