With cyber threats continuing to be a top concern for organisations worldwide, how can they strengthen resilience and manage potential threats?

This is a topic we explored in our recent Insights: Beyond the Breach - Risk vs Investment  - we looked at how companies and public sector organisations are investing their cyber security spend and their approaches to cyber insurance.

The event brought together experts from across NCC Group and the wider industry and we were also joined by special guest, Jano Bermudes, Head of Cyber Risk Consulting at Marsh.

Let’s delve into some of the key discussions from the day…

How should businesses spend their cyber security budget?

When it comes to cyber security, one of the most common questions asked by organisations is how to allocate a budget. Against a backdrop of increasingly difficult global economic headwinds, purse strings are tightening, and leaders are looking for ways to get the most from potentially squeezed budgets.

In a recent poll with senior leaders across the globe, we asked how they are focusing on cyber security spend. The poll showed a range of different responses with the majority of participants (43%) highlighting technology as the principal focus, followed by people, processes, and lastly insurance.

With a proliferation of security technologies and solutions available, it can be overwhelming to determine what is vital to protect business critical elements. One key takeaway from Beyond the Breach is how businesses can and should focus on building cyber resilience throughout their organisation, rather than simply purchasing the ‘latest and greatest’ technology.

While new software and technologies can certainly help protect against cyber attacks, it is not the only solution, and this approach may not be the most efficient or financially prudent. Instead, businesses should focus on educating employees on security awareness, education and best practices, implementing strong processes and procedures, and testing their security systems regularly. That means employing basic protective elements from multifactor authentication to login to accounts, to escrow agreements to protect critical to facilitate the continuity of business-critical digital assets in the event of an attack. By taking a holistic approach to cybersecurity, businesses can build resilience that will help them withstand threats and mitigate their impact on the organisation.

Is cyber becoming uninsurable?

Another important topic discussed was a recent burning question: is cyber insurance becoming uninsurable? It’s a question that has been at the forefront of the industry lately, with the frequency of cyber attacks escalating and the costs of breaches skyrocketing. Our recent poll showed 30% of respondents believe the sector is soon to be uninsurable, whilst 45% think it has already reached this point.

Jano Bermudes, Head of Cyber Risk Consulting at Marsh, took a positive view of how the insurance industry is keeping pace with cyber risks. “The [industry] is becoming more resilient, and as it does, it’ll resolve some of the capacity issues we’re seeing now” Given cyber attacks are becoming more sophisticated and frequent, insurance providers are also becoming more stringent in their underwriting process to reduce the risk they take on when providing insurance. The industry is beginning to conduct deeper and more complex examinations with the aim to understand how businesses are set up and what their risk management strategies are. The benchmark for obtaining insurance is constantly rising, making it more difficult for organisations to attain the necessary coverage. Insurance is not a silver bullet solution to cyber security. While insurance can provide financial relief and crisis management services in the aftermath of a breach, it is not a replacement for a solid cybersecurity strategy. In fact, relying solely on insurance can be detrimental to an organisation. Leaders need to be prepared to respond to a breach with their own resilience measures, such as incident response plans, backups, and disaster recovery strategies.

An overwhelming majority of 51% of our poll respondents did not feel their cyber insurance policy covered all their needs. Insurance coverage can vary widely depending on the policy and the insurer, and it should not be the only protection organisations have in place. To ensure comprehensive protection that goes beyond insurance, leaders should work with cyber security advisors to determine what their organisation’s risk appetite is and what to put in place in order to mitigate it in the event of a breach. 

Organisations must also work on building wider resilience measures throughout, such as backup systems, and escrow agreements, to developing disaster recovery plans, in combination with insurance protection. By taking a holistic approach, organisations can properly protect against and mitigate the impact of a breach.

To round up the event we asked our experts; what three key areas companies should be focussing on when it comes to cyber security in 2023?

Here’s what the experts said:

1. Preparation: Cyber breaches must be approached as an unavoidable risk. Prepare for breaches by putting relevant systems in place to mitigate the implications of data loss and significant service disruption. Treat it as a ‘when’, not simply an ‘if’.

2. Align yourself to your business objectives: Make sure your security posture mirrors the risk appetite of the business. You need to become an enabler in your organisation, taking a proactive approach to align such changes to your business strategy. A major part of this is ensuring these changes are enforced in policy throughout the organisation.

3. Cyber hygiene: Vulnerability management is a crucial part of cyber resilience, and many organisations are making mistakes in foundational areas. Organisations should know their assets and where they are, as well as taking a proactive approach to patch management and fixing problems as they arise. These fundamentals are very important. Think about fixing them before you decide to integrate an appliance to address ransomware, for example.

One final key takeaway

Always take a holistic approach. Focus on building cyber resilience throughout the organisation. Implement strong processes and procedures, test security processes regularly. Explore insurance and assess coverage needs, to provide support after a breach. Review your spend regularly to make sure it meets your needs. Face into the cybersecurity challenges your organisation may be facing - to better protect against ever-evolving threats.