Regulation Catalyst in Risk EnforcementGovernment, Private Sector Diverge on Attitudes Toward Risk
When it comes to cyber-risk, IT security professionals in government don't necessarily think like their counterparts in the private sector.
That's one takeaway from a survey conducted for the Federation of European Risk Management Associations by the Harvard Business Review Analytic Services, corporate insurer Zurich and the public sector risk management organization PRIMO.
Regulation and compliance are absolutely the key drivers of what most organizations are attempting to do in the way of cyber-risk.
According to the report, Meeting the Cyberrisk Challenge, respondents from governmental organizations express greater concern about data breaches affecting employee information - nearly half, compared with just over one-third of private-company respondents - while the private side is twice as concerned about customer data breaches - more than 60 percent saying so, compared with just over 30 percent on the government side.
On the surface, these results suggest that businesses care more about their customers than governments do about their citizens. But that isn't the case. Dig deeper into the survey results and you'll see that regulation plays a big part in how businesses assess and react to cyberrisk.
The survey shows that enterprises are concerned about the legal and regulatory threats that can result from breaches. Survey respondents most frequently place business income loss (40 percent) and the cost to restore crucial proprietary electronic information (36 percent) among their top five concerns. The next three: Legal defense and settlement costs from third party claims (35 percent), costs to comply with regulatory settlements (31 percent) and costs to defend against regulatory investigations (30 percent).
"Regulation and compliance are absolutely the key drivers of what most organizations are attempting to do in the way of cyber-risk," FERMA board member Julia Graham, chief risk officer of the global law firm DLA Piper, says in the report. "
The survey reveals that fewer than two of five respondents say their organization is in compliance with baseline standards set by law on information security and privacy; the public sector appears to perform better, with nearly three-quarters of respondents saying their organization is in compliance, while only 22 percent of all respondents say their organization is in compliance with baseline standards set by standards-setting bodies.
Other points of note from the survey:
- Nearly two-thirds of survey respondents say their organization has formally assigned roles and responsibilities to key individuals as part of an incident response plan. But few have made contingency plans with preferred vendors. Fewer than half say they have a strategy for communication to the general public in case of a cyberrisk incident, although the public sector does a better job, with 60 percent-plus of respondents saying they have done so.
- More than half of respondents say their organization evaluates its information security and privacy systems and practices regularly; but just under one-third of government respondents agree. More than 80 percent say they evaluate or reassess systems and practices either annually or continually. These activities are performed in-house at more than 80 percent of organizations, rather than by external contractors.
- Top executives often tend to regard themselves as doing a great job controlling cyber-risk, but too often, responsibility remains concentrated with the chief information officer or head of technology. Only 16 percent of companies have designated a chief information security officer to oversee cyber-risk and privacy.
- More than two of three organizations regularly update their antivirus software, while a similar proportion have introduced secure configurations for network devices such as firewalls, routers and switches. But more than 20 percent say their enterprise's budget for activities to maintain information security and privacy is inadequate; nearly 10 percent say they don't know whether it is.
The survey suggests that IT security is becoming a greater part of the fabric of the enterprise. Indeed, a majority of respondents say their boards receive regular updates on key issues concerning IT security and privacy risk management. Still, as the survey authors note, awareness and attention to cyber-risk isn't penetrating fast enough to all levels of the organization to keep the risk of such events under control.