Chapter 2. Findings: Understanding Cyber Risks and Response Readiness:
1. For most companies across sectors and regions, cyber resilience is a strategic risk
The workshop and interview sessions found that European companies are slightly more concerned than their American counterparts about cyber resilience. The research also indicated that as awareness has grown, chief information officers (CIOs) and chief technology officers (CTOs) are just as concerned as chief Information security officer (CISOs). Practitioners believe cyberattacks are a greater risk than other types of technology risks. Some executives found internal threats to be as big a risk as external attacks (see Figure 2).
FIGURE 2: CYBERATTACKS ARE MORE OF A RISK
Financial institutions are particularly sensitive — about 80% of them believe cyber resilience is a “strategic risk”, compared with roughly half of other institutions. “The issue is coming earlier in the conversation,” says the chief executive officer (CEO) of a high-tech vendor. “Before, we may not have covered it until the end of the meeting; now it is the first or second thing companies are asking us about.” (See Figure 3.)
FIGURE 3: OVERWHELMING MAJORITY OF FINANCIAL INSTITUTIONS CONSIDER CYBERSECURITY TO BE A STRATEGY RISK
The nature of the threat is heavily dependent on sector. “Product” companies, such as those in high technology, are most concerned about industrial espionage. “Services” companies focus on the loss and release of personally identifiable information and service disruption. Concern also exists over interference with business operations over time. For product companies, the leaking of proprietary knowledge about production processes may be more damaging than leaks of product specifications, given the pervasiveness of “tear down” techniques and legal protection for product designs.