360° CYBER RISK SURVEY
360° CYBER
RISK SURVEY
1
CONTENTS 360° CYBER RISK SURVEY
INTRODUCTION AND METHODOLOGY 3
5
SURVEY FINDINGS
4
Organizational Background 8
Risk Identification 10
Information And Asset Protection 16
Event Detection And Response
22
TOP CHALLENGES 25
27
PATH FORWARD
ABOUT THE SURVEY PARTNERS
2
360° CYBER RISK SURVEY
METHODOLOGY
The 360° Cyber Risk Survey, conducted in partnership by Aronson LLC, Ridge Global, and Risk Cooperative, was designed to
evaluate the collective state of readiness amongst middle-market organizations. The survey was conducted online by Aronson
LLC, Ridge Global, and Risk Cooperative clients and contacts who were invited via email and social media to participate in the
survey.
The survey was designed to align with the National Institute of Standards and Technology (NIST) Framework for Improving
Critical Infrastructure Cybersecurity. Specifically, the survey categories were developed from the referenced NIST Framework
Core functions:
Identify | Protect | Detect | Respond | Recover
The findings of the survey were closely scrutinized and rounded to the nearest tenth percentage point. In some cases, respondents
were given the option to select all applicable responses and statistics from those questions are noted accordingly.
INTRODUCTION
The release of the 360° Cyber Risk Survey Report comes at a critical time. Information technology (IT) is vital to virtually all
organizations, regardless of size, industry, or geographic location. It is hard to underestimate the significance IT solutions play in
business success. For businesses that offer services or products in the digital age, it is the foundation of their business plans.
For all organizations, it provides tangible and intangible benefits, such as improving business processes, empowering informed
decision-making, and driving revenue growth.
Given the crucial role IT plays for organizations, unmanaged cyber risks can jeopardize a business’ profitability and survival. The
risk of a cyber attack is real and rapidly growing. The seemingly endless string of headline-grabbing data breaches, exploitative
attacks such as ransomware, and IT related service disruptions such as denial-of-service (DoS) attacks only reinforce this notion.
The May 2017 WannaCry ransomware attack has been regarded as the most damaging ransomware attack to date due to the
short amount of time in which it infected an estimated 230,000 computers in over 150 countries. Many are anticipating far
more devastating types of attacks in the near future. This threat, when combined with other threat vectors, warrants that all
organizations do everything they can to swiftly reinforce their cyber risk defenses.
As larger companies continue to make massive investments in increasing their cybersecurity measures, middle-market and small
businesses are becoming a greater focus for cyber criminals. Many middle-market organizations lack the budget, resources,
processes, and technology to effectively defend against a harmful breach.
Considering the gravity of potential breaches, middle-market organizations need to do more to confront and mitigate cyber risk—
before they face financial losses and reputational damage. The 360° Cyber Risk Survey Report provides rich benchmarked data,
informed analysis, and actionable best practices to help middle-market organizations, senior leaders, and boards of directors
obtain a better understanding of the operational and financial impacts of cyber risks. In today’s ever-changing cyber threat
landscape, knowing how your organization stacks up against others is key in the fight to stay ahead of the next threat.
Cyber risks must be addressed holistically. Risk mitigation strategies must be devised, which demands stakeholder engagement
from the board-level down to frontline staff members. A multi-pronged approach that leverages technology, education, and cyber
insurance should be contemplated to achieve cybersecurity program resiliency and effectively combat cyber threats.
3
01
O R G A N I Z AT I O N A L
BACKGROUND
This section covers the industries represented by the respondent organizations, applicable
standards and regulations, plus respondent roles and responsibilities relative to their
organization’s cyber operations.
360° CYBER RISK SURVEY
OVERVIEW
Survey respondents represented various industries across public and private sectors. The majority of respondents (33.9%) were
in the government contracting industry, followed by professional services (19.6%), and technology (16.1%). Since most of the
companies that participated in the survey are based in the Washington DC Metro area, it is not surprising that the top three
industries represented in the survey are reflective of the key players in the regional economy.
1.8% 1.8% Figure 2: Survey Respondent Industries
1.8% 1.8%
1.8% 33.9% Government Contractors Insurance
Professional Services Education
3.6% Technology Infrastructure & Logistics
3.6% Non-Profit Energy
Financial Services Public Sector
5.4% Health Care Real Estate
8.9%
16.1% 19.6%
SURVEY INSIGHTS ACCOUNTABILITY & COORDINATION
58.9% Cyber risks have enterprise-wide impacts. Therefore, the success of a cybersecurity
program is highly dependent upon a supported organizational structure where leaders
Of survey respondents had more than are clearly assigned and held accountable. In organizations with successful cybersecurity
programs, coordination is encouraged and achieved to optimize outcomes.
50% of cybersecurity preparedness
activities included within their
operational responsibilities.
33.3% 27.5% 25.9% 20.4%
Of the respondents reported Of respondents noted these Followed by the IT Chief Information Security Officer
that overall accountability for groups do not coordinate Department Manager (CISO) / Chief Security
cybersecurity initiatives was held by Officer (CSO)
the Chief Executive Officer (CEO)
While the oversight of cybersecurity initiatives is primarily managed by a CEO or IT leader, the success of these efforts depends
on other key department leads, including the legal department. For some larger organizations a General Counsel or legal support
may be in-house, but for some smaller organizations they may require support from outside counsel.
FEEDBACK AND GUIDANCE FROM THE LEGAL TEAM IS VITAL TO CYBERSECURITY INITIATIVES REGARDING DETERMINING LIABILITY FOR INCIDENTS
AND COMPLYING WITH LAWS, SUCH AS BREACH NOTIFICATION LEGISLATION. PROACTIVE COORDINATION ACTIVITIES ARE CRUCIAL TO EFFECTIVE
INTERACTIONS DURING AN ACTUAL CYBER INCIDENT. 66.7% OF RESPONDENTS SAID THAT THEIR LEGAL AND IT DEPARTMENTS COORDINATE WITH
THE SECURITY GROUP ON CYBER RISK MANAGEMENT INITIATIVES. 5.9% OF RESPONDENTS SAID THAT COORDINATION BETWEEN THESE GROUPS
WAS UNKNOWN. COORDINATION PROTOCOLS SHOULD BE ESTABLISHED AND UNDERSTOOD BY ALL INVOLVED PARTIES.
5
360° CYBER RISK SURVEY
CLOUD SERVICES
Organizations continue to move toward reliance on cloud services, which has yielded numerous benefits for organizations
of various sizes. Advantages of migrating to cloud services can include decreased acquisition and maintenance costs, more
efficient uses of personnel, increased time availability, and greater accessibility.
THE TYPES OF CLOUD SERVICES INCLUDE
Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
DEPARTMENTS/SUBJECTS MANAGED IN THE CLOUD
*Respondents were able to select multiple departments that applied to their organizations.
47.2% 45.3% 37.7%
IT ACCOUNTING/FINANCE MARKETING/SALES
47.2% 17%
HUMAN RESOURCES CORE BUSINESS SERVICES
While transferring some controls and responsibilities to a cloud service provider can have numerous benefits, this does not
mean that all risks have been transferred. A common misconception is that most risks involved with a cloud service are the
responsibility of the service provider. In order for the business relationship to be effective, the organizations using the services
must still manage their responsibilities. A vendor risk management program should be established to properly vet providers,
require minimum security controls (where applicable), monitor compliance with contract agreements, and determine residual
risks and controls within the purview of the organization. These vendor risk management activities should feed into the overall
IT and enterprise risk management programs.
6
360° CYBER RISK SURVEY
RECOMMENDATIONS
• Cybersecurity Accountability: Ensure that the stakeholder responsible for cybersecurity initiatives is held accountable
for program performance and coordinates with all relevant departments to achieve the objectives. Ideally, cybersecurity
ownership and accountability should be outside the IT department for the program to be truly effective.
• Business Unit Coordination: Involve all relevant business units in IT strategic planning activities and corresponding status
meetings to ensure sufficient representation. To determine which business unit leaders to include in cybersecurity initiatives
consider various factors e.g., the business model, the industry type, types of information exchanged, regulatory requirements,
standards, and related items. This is especially essential in coordination efforts between executive, IT, and legal teams.
• Vendor Risk Management: Develop a vendor risk management program to identify and mitigate vendor risks as well as
validate that contractual commitments are met.
This program must be designed to fully understand the risks (if any) within the control environment of the vendor, including
cloud solution provider.
If available, organizations must request, receive, and review System and Organization Controls (SOC) audit reports
(formerly known as Service Organization Control reports). A SOC report is an independent auditor’s evaluation of a service
organization’s services, which provides transparency and cultivates trust. As these reports are voluntary, organizations
must still oversee service organizations who do not have such reports. The vendor risk management procedures should
account for these situations by holding discussions with the provider and perhaps conducting on-site visits as needed.
These activities should determine potential impacts to system(s), operational activities, and enterprise resiliency. Not all
controls are the responsibility of service organizations. It’s important to fully understand and implement the controls that
rest with end user organizations. Vendor risk management procedures should also include periodic monitoring of the service
providers to validate commitments are being met.
• Governance and Compliance: To support a culture for cybersecurity and resilience, develop a governance program and
related IT policies and procedures in collaboration with relevant business units. Document and apply an industry leading
IT framework for developing or enhancing this program. Disseminate the IT polcies to all personnel of the organization.
Conduct periodic security awareness training to ensure that the IT policies are well understood and cover other relevant
security topics.
7
02
RISK
I D E N T I F I C AT I O N
This section covers activities involved with identifying cybersecurity risks, which include
IT Governance (i.e., organizational structure, policies, and procedures), Risk Management,
Asset Management, and Third-Party Management.
360° CYBER RISK SURVEY
OVERVIEW
Effective risk identification is crucial to maintaining current awareness of cyber risks. These activities should be governed by a
risk management strategy including developing a risk appetite, establishing thresholds, and developing risk identification and
mitigation procedures. It is imperative to maintain a complete and accurate asset inventory noting critical components. Risk
identification should not be limited to conducting vulnerability scans and penetration tests.
Risk Management 55.1% 50.9% Asset Management
Respondents noted that Risk Management policies and Respondents noted that more than half did
procedures were finalized and disseminated to end users and NOT have final/disseminated policies and
relevant stakeholders. documentation (respectively).
The absence of these documents does not necessarily mean that the activities are not happening. However, the activities may
not be occurring in a standardized manner, in accordance with other policies, and all relevant stakeholders may be unaware of
risk management processes.
VULNERABILITY MANAGEMENT
36% 26% 22% 16%
Respondents did not conduct Others conducted such Annually Semi-Annually
penetration/vulnerability tests tests quarterly
The majority of respondents reported their last vulnerability assessment was conducted within less than a year (58.3%).
Outsourcing these tests has become more popular due to personnel constraints or lack of in-house expertise.
OUTSOURCING VULNERABILITY TESTS
53.5% of respondents use a third-party provider and 46.5% conduct the tests internally.
Periodically conducting such tests is crucial to understanding how vulnerable an organization is to compromise. Based on
the initial test results, the frequency should be adjusted based on the adequacy of remediation activities, the organization’s
understanding of high risk areas, and the risk management strategy.
RECOMMENDATIONS
1. Risk Management: Develop and implement risk management procedures. Once risks are identified it is imperative for an
effective process to be in place to implement mitigating actions. These processes should ensure risks are tracked, prioritized,
and managed completely.
2. Asset Management: Develop asset management documentation. Procedures should be in place to obtain a complete and
accurate inventory of assets and their authorized custodians.
3. Vulnerability Scans and Penetration Tests: Conduct these scans and tests at a periodic frequency. Whether conducted by
inhouse personnel or a third-party, the results from these tests are needed to dynamically manage identified risks.
9
03
INFORMATION &
ASSET PROTECTION
This section covers activities involved with implementing safeguards to protect information
and IT assets (e.g., workstations and infrastructure), which includes security awareness
and rolebased training.
360° CYBER RISK SURVEY
OVERVIEW
Information is the new currency. Protecting information and interconnected assets is imperative to survival,
business operations and resiliency. Typically “crown jewels” are the information and assets most vital to an
organization. Advanced level of safeguards are needed to protect the information. Organizations that lack clear
information classification guidelines are more vulnerable to data compromise. Once appropriate safeguards are in place to
protect information assets, all levels of personnel should be trained on their responsibilities.
Safeguards to protect information and assets can begin with a variety of sources such as regulations, standards, and control
frameworks. Organizations across various industries must identify the regulatory requirements applicable to them and adopt
a framework that best protects their information. Note, however, that compliance does not necessarily ensure security. Instead
it should be viewed as a baseline supported by additional policy, procedural, and technological framework necessary to protect
critical systems and to address known vulnerabilities.
THE MANAGEMENT OF HEALTHCARE DATA IS GOVERNED BY THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA). SIMILARLY,
FEDERAL GOVERNMENT DATA MUST BE MANAGED IN ACCORDANCE WITH THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT (FISMA) AND
SOME AGENCIES HAVE ADDITIONAL REQUIREMENTS. IN OTHER CASES, STANDARDS MAY EXIST INSTEAD SUCH AS THE PAYMENT CARD INDUSTRY DATA
SECURITY STANDARD (PCI DSS) WHICH IS FOR MERCHANTS WHO STORE, PROCESS, OR TRANSMIT CARDHOLDER DATA.
Educating personnel on their responsibilities towards protecting crown jewels is as important as applying the appropriate
safeguards. Awareness, education and training responsibilities include providing communication, appropriate documentation and
sufficient training related to the information protection. Organizations with robust and frequent training program can minimize
the risk of breaches. Middle market organizations may not conduct security awareness training or may do so infrequently, which
hinders achieving optimal information protection program effectiveness. Training of internal personnel must be coupled with
proper oversight of vendor relationships to validate information and assets are handled appropriately. Further, training should be
viewed as an investment in business reliability and should not be simply viewed as an expense.
SURVEY INSIGHTS
Identifying Sensitive Information
The majority clearly did not have a process to identify different classes of information and hence apply the appropriate safeguards
to protect their information.
51% 45.7%
Respondents noted that policies and Of organizations have defined what
procedures were NOT implemented. “sensitive information” means to
their business.
45.7%
Of organizations have not
determined this definition.
8 . 7 % Of respondents responded that this definition was unknown to them.
11
360° CYBER RISK SURVEY
Information Safeguards
Information protection should integrate and coordinate the capabilities of people, processes, and technology to establish
multiple countermeasures to protect the confidentiality and integrity of information assets. Multiple layers of different types
of safeguards have unique characteristics which can prevent an unauthorized person from gaining access to the information
assets. This approach known as defense-in-depth, can significantly reduce the risk of a breach. The right mix of information
safeguards requires focus on three areas: 1) People: This includes the right tone at the top, clear assignment of roles and
responsibilities, segregation of duties and training of personnel. 2)Technology: Diversified technological defenses within and
outside the perimeter, including firewalls, intrusion detection, physical security controls, data loss prevention etc. 3) Processes:
The activities required to safegaurd information on a day-to-day basis, including access management, vulnerability reviews,
process controls, and incident response planning.
86.7% 71.1%
The majority of respondents use network security of respondents have physical security
devices (e.g., firewalls, Intrusion Prevention Systems controls in place (e.g., badge readers).
(IPS), and Intrusion Detection Systems (IDS)).
66.7% 60% 37.8%
Role-based access provisioning Segregation of duties controls Data loss prevention (DLP) software
RELIANCE ON SENSITIVE INFORMATION
60.9% 38.3% Most respondents (38.3%) reported that 1-10%
52.2% of their business depends on sensitive data (e.g.,
Personally Identifiable Information (PII) and
Protected Health Information (PHI)).
34.8% 2 1 . 3 % Of respondents reported 11-25% reliance.
34.8% 1 7 % Of respondents reported 51-75% of reliance.
17.4%
8.7% Note – Respondents were able to select multiple mediums that
applied to their organization.
Asset Management
An IT asset is any organization-owned information, system, or hardware that is used in the course of business activities. The
asset management process typically involves gathering a detailed inventory of an organization’s hardware and software and
timely validation of the assets at a regular frequency.
23.4%
Most respondents conducted asset validation activities annually.
19.1 14.9 6.4% 4.3%
Quarterly Monthly Weekly Semi-Monthly
12
360° CYBER RISK SURVEY
Education How often is security awareness training
conducted? Security awareness training includes
Education and training are crucial to protect against information & asset topics such as IT policies and procedures, incident
security incidents. However, 36.4% of respondent noted their organizations
did not conduct security awareness training. Of those who did deliver this management, and reporting.
training, it was most commonly conducted annually (38.6%). Role-based
training was conducted predominantly on an ad hoc basis (43.5%), followed
by not being conducted at all (37%), annually (13%), and semi-annually (6.5%).
SECURITY AWARENESS TRAINING IS INTENDED TO BE APPLICABLE TO ALL 36.4% 38.6%
PERSONNEL BY INFORMING THEM OF THEIR RESPONSIBILITIES TO PROTECT
ORGANIZATION ASSETS. THIS ALSO INVOLVES CONTINUING EDUCATION ON 11.4% 13.6%
CURRENT TRENDS AND WAYS TO COUNTER CYBER THREATS (E.G., PHISHING
EMAILS, VIRUSES, AND RANSOMWARE). THIS TRAINING IS ESSENTIAL TO Annually Semi-Annually
CULTIVATING A SECURITY RISK AWARE CULTURE. HOWEVER, IT ALONE IS Quarterly Not Conducted
INSUFFICIENT FOR VARIOUS ROLES ESPECIALLY WITHIN THE IT DEPARTMENT.
DUE TO EVOLVING NATURE OF CYBER RISKS AND A LACK OF ADEQUATE Figure 2: Security Awareness Training Frequency
RESOURCES, MOST ORGANIZATIONS CONDUCT AD HOC TRAINING. HOWEVER,
THE REALITY IS THAT IN THE 21ST CENTURY RISK ENVIRONMENT, ALL ROLES,
INCLUDING SENIOR LEADERS IN THE C-SUITE AND BOARD, SHOULD HAVE
PERIODIC TRAINING. WHILE NOT THE ONLY SOLUTION, IT CAN OFTEN BE A LOW
COST AND HIGHLY EFFECTIVE MEASURE TO LIMIT CYBER RISK.
55% 59.6% 86.7%
Of respondents have NOT identified A majority of respondents indicated Of respondents indicated using
the sensitive information within that less than 25% percent of their network security devices such as
business operations were dependent intrusion prevention technology to
their organization. on sensitive data such as personally
safeguard information.
identifiable information (PII).
Regulations and Standards Compliance Select the regulatory requirements
that apply to your organization.
26% of respondents responded “unknown” when asked to report the
types of standards and regulations applicable to their organization. This 3.7% 3.7%
demonstrates that some organizations are either unaware or uncertain of 5.6% 31.5%
the regulations that apply to them. Regardless of the reason, it creates a
precarious situation due to potential consequences of non-compliance. It 7.4% 25.9%
is also essential for organizations to be fully informed of their compliance 9.3%
obligations to ensure their supply chain and business partners are also
compliant. This also applies to the usage of cloud service providers to 13.1%
conduct operational activities. In some cases, multiple regulations and
standards may apply, which warrants consolidated control mapping efforts
to streamline the efficiency of maintenance efforts.
Defense Federal Acquisition Regulation Other Figure 3: Regulations and Standards Impacting Respondents
Supplement (DFARS)
Sarbanes-Oxley (SOX) 13
Unknown Health Insurance Portability and
Accountability Act (HIPAA)
Payment Card Industry Data Security
Standard (PCI DSS) Gramm-Leach-Billey Act (GLBA)
Federal Information Security Management
/Modernization Act (FISMA)
360° CYBER RISK SURVEY
Regulations and Standards Impacting Respondents
DEFENSE FEDERAL ACQUISITION The Federal Acquisition Regulation (FAR) governs the way that the
REGULATION SUPPLEMENT (DFARS) government can procure goods and services. DFARS applies to
Department of Defense (DoD) contractors, who are managing covered
defense information within their systems. DFARS compliance is required
by December 31, 2017.
FEDERAL INFORMATION SECURITY FISMA applies throughout the Federal government and for contactors
MODERNIZATION ACT (FISMA) involved with supporting, maintaining, providing the information
and information systems that support the operations and assets of
an agency.
GRAMM-LEACH-BLILEY ACT (GLBA) GLBA is also known as the Federal Modernization Act of 1999, which is a
Federal law designed to control the management of individuals’ private
information by financial institutions.
PAYMENT CARD INDUSTRY DATA PCI DSS is a propriety information security standard for credit card
SECURITY STANDARD (PCI DSS) management organizations. Specifically, it applies to organizations that
store, process, or transmit cardholder data. The PCI Security Standards
Council administers PCI DSS.
SARBANES-OXLEY ACT (SOX) The SOX Act was passed by the U.S. Congress in 2002 and requires
all publicly held companies to establish internal controls for financial
reporting to protect stakeholders from fraudulent accounting activities.
Many non-public companies also comply with SOX as a best practice.
GENERAL DATA PROTECTION GDPR standardizes privacy laws across the European Union and is
REGULATION (GDPR) applicable to all member states. GDPR compliance is required by
May 25, 2018.
NORTH AMERICAN ELECTRIC
RELIABILITY CORPORATION CRITICAL The NERC’s mission is to oversee the bulk power system in North
INFRASTRUCTURE PROTECTION America to assure its reliability and security. CIP is a cybersecurity
(NERC CIP) reliability standard used to achieve the mission. There are multiple
compliance dates for aspects of the latest CIP Version 5 standards,
Table 1 - Regulation & Standards Descriptions which includes 2017 deadlines.
14
360° CYBER RISK SURVEY
Cyber attackers are aware that sometimes the easiest way to carry out an intrusion is to compromise a busines partner instead
of the primary target. Hence, it is imperative to implement a comprehensive third-party management program. Basic elements
such as policy, vetting form, and corresponding procedures are key. The next step of communicating the program and user
responsibilities is essential to promoting standardization and compliance. Services must be evaluated for cyber risks during the
vetting process and on an on-going basis to ensure minimum standards are adhered to per contractual agreements. Without a
program and oversight group (e.g., contracts team or IT risk and compliance team) to ensure minimum standards are being met,
organizations are vulnerable to unidentified or improperly managed risks. The costs of implementing such programs should be
evaluated with the consequences of not having them in place at all or in an effective manner.
Third-Party Management and Minimum Security Standards
39.6% 43.8% 16.7%
Of respondents noted that a Third-Party Management Said this type of program was not in place. Were unaware of such a program.
Program is in place to vet third-parties.
51% 24.5% 24.5%
Of respondents noted that third-parties are required Noted these requirements aren’t in place. Were unaware of such activities.
to meet minimum cybersecurity standards set by
the organization.
38.8% 30.6% 30.6%
Of respondents said that third-party compliance Said such activities were monitored. Of respondents did not know if such
with contractual & cybersecurity standards was activities occurred.
not monitored.
RECOMMENDATIONS
• Network Segmentation and Information Classification: Consider network segmentation to isolate sensitive information
including those that require compliance with regulations or standards from other types of data. Determine effective safeguards
for critical and sensitive data (e.g., multi-factor authentication and role-based access). An Information Classification policy
and procedures should be developed to categorize data to ensure the appropriate safeguards are implemented.
• Information Safeguards and File-Sharing Mediums: Implement and evaluate a defense-in-depth approach to security
safeguards for effectiveness. File-sharing mediums should be evaluated at initial deployment and on a periodic basis to
identify risks and restrict access to the minimum needed.
• Asset Management: Determine high priority and total inventory of assets to include in monitoring activities. Conduct asset
validity checks on a periodic basis. Coordinate asset management activities with Human Resources (HR) on-boarding and
separation activities.
• Security Awareness Training: Develop a training program that includes security awareness training and role-based training.
Incorporate compliance with the program requiring personnel to take the training. Determine when ad hoc security refreshers
should be shared via email, online courses, or in-person.
• Regulation and Standards Compliance: Conduct an assessment to determine all applicable regulations and standards to the
organization. This includes understanding the business services provided, the types of data managed, contractual agreement
details with customers and business partners plus, related information. Identify gaps with requirements. Determine
remediation solutions and priorities. Implement a compliance program to monitor controls and maintain awareness of
requirement changes. Involve this subject in strategic planning documents and sessions to ensure continued compliance.
• Third-Party Security Standards: Determine the minimum security standards that should be in place for the various types of third-
party relationships. Coordinate with legal personnel to determine the best way to incorporate and mandate these requirements.
Ensure monitoring of compliance with these standards is incorporated into the Third-Party management program.
15
04
EVENT
DETECTION
This section covers activities involved with determining when a cybersecurity event has
occurred, which includes the types of software and tools used for these processes. Incident
management plans to address detected events is also covered.
360° CYBER RISK SURVEY
OVERVIEW
The common phrase of “it’s not a matter of if but when a breach will occur” is industry-agnostic. It requires senior leaders across
organizations to candidly determine whether they could withstand the impacts of a significant cybersecurity event. When asked
to estimate the likelihood of a cyber attack occurring within the next 12 months, 24% of respondents noted that the likelihood
is inevitable. Considering the high likelihood of an incident, organizations should continue to focus on preparation to minimize
adverse impacts and disruption time. The majority of respondents estimated that ransomeware, viruses, and intrusions had
a high likelihood of materializing, whereas insider threats and old architecture had a low likelihood. The ability to detect a
potential event in a timely, effective and accurate manner is vital to forecasting the quality of response efforts.
SURVEY INSIGHTS Have incident management procedures
been finalized and disseminated to end
Detection Measures
users and relevant stakeholders?
Implementing appropriate event detection software and measures, applying
appropriate configurations, and having a process in place to address areas of 40%
concern are crucial to cybersecurity resilience.
YES
2 9 . 5 % The most common type of event detection measures in place
was security monitoring by a third-party. 60%
2 7 . 3 % Followed by the use of Intrusion Detection Systems. NO
2 0 . 5 % Audit logging and review.
1 3 . 6 % and security information and event management (SIEM).
You cannot defend against what you cannot detect. Hence, once
technologies and tools are in place properly configuring them is essential
to optimize detection measures.
Incident Management 60% 64.4%
The majority of respondents have not finalized or disseminated Of respondents reported that their organizations have not
incident response procedures to relevant stakeholders. designated a cyber crisis management team.
A cyber attack can impact almost every vertical of a business--disrupting operations and having potential legal and brand
consequences. Yet our survey reveals that a disturbing 60% of the respondents have not finalized and disseminated incident
response procedures across the enterprise leadership. Incident management team should be compromised of individuals
representing multiple business units (e.g., Senior leadership, IT, communications, legal, accounting/finance, and local authorities).
The diversity of representation is essential to ensuring all perspectives are considered and factored into the incident management
plans.
Breach Response 35.6% 17.8%
42.2%
Of respondents experienced a Of respondents noted that they did not Of respondents noted the presence
data breach, cybersecurity attack, or intrusion. experience any of these types of attacks. of such incidents were unknown.
For those respondents who experienced a breach or similar event, the majority
44.8%
said they didn’t experience any adverse impacts.
17
360° CYBER RISK SURVEY
Being unwaware of a breach does not mean one did not occur. Event detection tools may not be in place or configured appropriately
to identify incidents. When sufficient safeguards are in place to deter and detect attack, a “set it and forget” appraoch should not be
taken. Instead, these controls must be continuously reviewed to withstand evolving threats.
Breach Impacts
When a breach has been experienced, a variety of impacts could result from the event. For the 42.2% of respondents who experienced
a data breach, they noted the following adverse impacts on their organizations. In addition they also reported the remediation
actions taken.
31%
The most common impact was operational delays.
13.8% 10.3% 10.3% 6.9% 3.4%
Followed by intellectual Financial losses Reputational harm Regulatory fines And terminated relationships with
property theft/unauthorized customers or business partners
information disclosure
12.5%
In instances where financial losses were incurred, the most comon impact was loss of revenue.
8.3% 8.3% 4.2% 4.2%
Followed by expenditures Supply chain disruptions Technology And regulatory fines
related to public relations
*Respondents were able to select multiple impacts encountered.
36.7%
In recovering from the reported breaches, the majority of respondents did not take any specific remediation actions.
23.3% 16.7% 10%
This was followed by training The acquisition of new network And hiring cybersecurity
devices/security products consultants/specialists
Business Continuity and Disaster Recovery
The impacts of a cyber breach for mid-market organizations can significantly affect operations, revenue, and reputation. These
organizations may not be able to absorb the costs of an incident and continue to resume business activities. Larger organizations
may have capital reserves to address the monetary impact of breaches, including legal fees and lost revenue. Hence, the importance
of business continuity and disaster recovery planning cannot be emphasized enough.
12.2% 75.5% 12.2%
Of respondents set aside business continuity funds The majority of respondents have not allocated Were unaware of any budget allocated.
to support cyber incident management activities. funds for this purpose.
18
360° CYBER RISK SURVEY
Cyber events can lead to considerable business interruptions or even closure. 46.5% of respondents did not have Business
Continuity / Disaster recovery plans finalized and distributed. Without these recovery mechanisms, the resumption of operations
may be delayed and may not achieve the intended level of performance.
Have Business Continuity / Disaster Recovery plans and/or procedures been initialized and disseminated to relevant
stakeholders? These include subjects related to protecting employees, assets, and information in a manner that
allows the business to continue operating despite an event/disaster.
Business Continuity Disaster Recovery Plans 46.5%
46.5% Did not have these plans
finalized and distributed.
Of respondents noted that Business Continuity/
Disaster recovery plans were finalized and 7%
disseminated to relevant stakeholders. Of respondents were unaware
of such documentation.
Have the Business Continuity / Disaster Recovery plans and procedures been tested to
validate their effectiveness?
7.1%
7.1%
26.2% 59.5% No
Yes - Tested Annually
Yes - Tested Every Other Year
Other
Figure 4: Business Continuity/Disaster Recovery Plan Testing
When a significant cyber incident occurs, response teams are relying upon their plans to be accurate and effective to expedite
activities. Hence, periodic tests of these plans is crucial to ensure that the procedures in place will effectively recover any
impacted systems or infrastructure. Organizations should consider what works best for them based in developing these plans
facotring in the types of services provided, the recovery and redundancy controls in place, and their thresholds for recovery.
19
360° CYBER RISK SURVEY
Cyber Insurance
41.9% of survey respondents indicated that they
had some sort of cyber liability insurance
in place at their organizations.
This is a positive indication that survey participants are forward thinking in how they can build up their organizations’ overall
resiliency and cybersecurity. Yet, cyber insurance remains a highly underutilized tool when it comes to cybersecurity. This is
largely due to a great deal of discrepancies in the insurance markets and confusion among the available insurance products.
Of all the cyber This means the cyber policy 5%
is an add-on to another class
insurance policies in effect, of insurance, most often a of policies are what is called a
general liability or business
95% standalone policy, which offers more
owners’ policy.
are bundled policies. robust coverage and protection for
cyber risk on a “first dollar basis.”
Against this backdrop, it is not surprising that
47.2%
of respondents noted that it was not
applicable to their organization.
This is a rather alarming finding as the majority of organizations are exposed to potential cyber-attacks or breaches whereby
insurance can help offset potential financial losses as one mitigation tool. Others noted that funding would be re-allocated in
response of a cyber incident, which is not a prudent risk-financing approach, as scarce financial resources, such as payroll,
payables, among others, are typically earmarked for their purposes.
Many small and mid-market organizations may be uncertain whether cyber insurance is a worthwhile, or affordable expense.
Others find the application process to burdensome or confusing and therefore opt to go uninsured. Even though cyber insurance
has been in existence for nearly two decades, it is only now getting widespread attention due to the rise in cyber breaches. When
evaluating cyber insurance policies, organizations need to be sure to conduct in-depth coverage reviews to ensure the policy
provides the right level of breach response and notification coverage, as well as liability protection. Additionally, conducting
a coverage gap analysis will help to identify key coverage exclusions. Perhaps the most important facet of a cyber insurance
policy is the response, breach notification and remediation support that is provided following a claim. In many cases, this value-
added support matters more than the financial limits or face value of a policy, and can serve as a crucial way to augment often
ill-equipped IT departments.
20
360° CYBER RISK SURVEY
RECOMMENDATIONS
• Incident Management: Develop, finalize, and distribute these policies and procedures to relevant stakeholders. Designate
a cyber crisis management team composed of cross-functional roles and schedule periodic meetings with them to test
procedures.
• Breach Response: Incorporate breach response activities into incident management documentation to follow a similar
protocol structure where appropriate. Include remediation activity procedures to determine what type of actions will be
taken and a process to document cases where action is not taken. Analyze all relevant breach management requirements
including regulations, standards, internal policies, contracts, and other relevant areas to ensure these are factored into
governance documentation.
• Business Continuity / Disaster Recovery Funds and Cyber Insurance: Develop, finalize, and distribute these policies and
procedures to relevant stakeholders. Conduct periodic tests of these procedures to validate them for effectiveness. Make
updates to documentation based on tests results and retain the test results for future reference.
• Business Continuity / Disaster Recovery Documentation: Evaluate options to determine if funds can be allocated into a
reserve to support these activities. Assess cyber insurance to determine if there are policies that could be beneficial to your
organization. Organizations should talk to their broker to conduct an analysis of coverage for cyber events. This is especially
true if organizations are depending on endorsements in their commercial general liability policies, as opposed to a stand-
alone policy. Consider the potential impacts to your organization and costs from the management of past incidents when
weighing funding options
21
360° CYBER RISK SURVEY
TOP CHALLENGES
Survey respondents indicated the top challenges faced by their organizations. The top challenges are listed in order of highest
response. Respondents could select all applicable challenges for this question.
LACK OF CYBERSECURITY PERSONNEL
The supply of cybersecurity professionals cannot keep up with the demand. According to the 2017 Indeed
Spotlight article titled, “The Global Cybersecurity Skills Gap Report,” Cisco estimated that there are 1
million unfilled cybersecurity positions around the world. In the same report, Symantec CEO Michael Brown
anticipated that figure will rise to 1.5 million by 2019. This amplifies the pursuits of organizations across
industries to attract and retain highly skilled professionals to support their program needs.
Recommendations
• Utilize cybersecurity focused recruiting firms to address this deficiency, but the associated fees must
be determined worthwhile.
• Explore partnering with universities and colleges to develop a talent pipeline.
• Identify internal personnel who can be trained to support aspects of cyber initiatives.
• Participate in programs that encourage the next generation to pursue Science, Technology,
Engineering, and Mathematics (STEM) careers.
• Continue standard methods of posting job openings on professional organization job boards. This
includes full-time, seasonal, and internship opportunities. Firms that do not have the cybersecurity
expertise in house, or do not deem it cost effective to do so, can seek outside providers to carry out
these services.
• Cyber insurance policies can provide cyber breach response coverage, helping to bring the needed
expertise to combat a cyber-attack for a fixed cost. This is another cost-effective approach to
bridging the talent gap.
INSUFFICIENT/LACK OF DOCUMENTED POLICIES
AND PROCEDURES
Policies and procedures are either non-existent or insufficient. Policies and procedures should support
an organization with meeting its strategic goals, regulatory requirements (if any), contractual and service
agreements. Oftentimes small organizations or organizations with small IT departments do not have these
documents in place due to other priorities. There is also a mindset of thinking only big organizations with
a significant number of employees would need such documentation. In other cases, some documentation
may exist but processes are not in place to ensure full coverage of subjects and to conduct periodic
reviews to validate effectiveness.
Recommendations
• Consider undertaking initiatives to develop or validate alignment with relevant IT frameworks and
standards. This could be done internally or by a consultant depending upon resource and time
availability plus other catalysts.
• Develop a maintenance process of documentation that includes periodic reviews and approved
updates.
• Ensure policies and procedures are factored into appropriate training sessions based on user roles.
22
360° CYBER RISK SURVEY
INSUFFICIENT CYBERSECURITY BUDGET
Funding allocated to execute cybersecurity initiatives is insufficient. As the threat landscape continuously
evolves, IT departments are challenged with addressing new developments while maintaining their current
network. Cybersecurity leaders continue to face the ongoing hurdles of balancing funds, technology, time,
and personnel to create the ideal recipe to sustain and expand their programs. As breaches and incidents
become more frequent, organizations must increase their investments in cybersecurity and implement
comprehensive defense in depth approaches.
Recommendations
• Consider holding feedback sessions with senior leadership to identify budget support opportunities.
This could include additional tailored trainings on cyber risk for senior leaders, adjusting the frequency
of cyber risk program report updates, revising the content or format of reports, or other areas.
• Consider reviewing the reporting content and format of IT current state and forecasts to identify
improvements. Specifically, identify ways of conveying complex IT concepts in a way that directly
illustrates business impacts and connections.
• Leveraging risk transfer solutions and insurance will allow organizations to place a fixed cost on
cybersecurity and transfer the financial exposure from the P&L and into the financial markets.
OLD SYSTEM/NETWORK INFRASTRUCTURE
Old systems/network infrastructure can be costly and time-consuming to maintain. Several reasons
contribute to the existence of old system/network infrastructure. In some cases, solutions have been
extensively customized to meet business needs and new replacement options may not meet requirements
or are too costly. Even in cases when budgets can be allocated, there may be other dependencies outside
of an organization’s control (e.g. business partner requirements) which may result in continued reliance on
legacy systems/infrastructure. With the advancement of cloud services, organizations are continuing to
determine the value in maintaining legacy versus new solutions.
Recommendations
• Review the lifecycles of old systems and network infrastructure to identify ideal transition schedules.
• Review dependencies from third-parties (e.g. customers and business partners) that may require the
use of old systems or network infrastructure to update transition schedules accordingly if needed.
• Prioritize transition needs for modern migration upgrades. Develop business cases for selected
priorities.
• Determine the most suitable presentation format to senior leaders to establish an understanding of
the needs and secure their support.
23
360° CYBER RISK SURVEY
INEFFECTIVE ORGANIZATIONAL STRUCTURE
Organizational structures were noted to be ineffective to address cybersecurity needs. The reporting lines
for cybersecurity matters must be designed in a way to promote visibility, prioritization, accountability,
and integration into enterprise risk management activities. In organizations with ineffective organizational
structures, cybersecurity initiatives may not be receiving the appropriate attention and prioritization.
Recommendations
• Consider assessment options for organizational structure improvements by determining if this will be
conducted by internal personnel or consultants.
• Conduct an assessment which relies upon internal personnel feedback, industry standards, and best
practices to identify improvement opportunities.
• Present improvement opportunities to focus groups and senior leaders to determine a remediation
roadmap.
• Execute the remediation roadmap accordingly to support the organizational structure improvement
initiative. Develop a process to monitor the changes and re-evaluate any new challenges.
LACK OF LEADERSHIP SUPPORT AND CYBERSECURITY
SAVVY SENIOR LEADERS
There is a lack of leadership support and understanding of the overall cyber risk landscape. As with
any project, appropriate leadership support and reporting structures to monitor progress are essential
to producing successful outcomes. This issue may be compounded by senior leadership who are not
cybersecurity savvy and therefore unable to truly understand the landscape to provide proper guidance.
Senior leaders must be held accountable for cybersecurity initiatives and instill the value and business
impacts of such programs to their organizations. Adequate training should be provided throughout the
organization and especially for senior leaders to support informed decision-making to sufficiently manage
cyber risks.
Recommendations
• Obtain feedback from senior leaders to identify cyber risk areas that could be covered in trainings or
other guidance materials.
• Identify and coordinate the delivery of trainings for senior leaders, which could be conducted by internal
personnel or third-party providers.
• Determine other methods of cultivating leadership support and understanding such as holding
more update briefings, modifying reporting contents or frequencies.
24
360° CYBER RISK SURVEY
PATH FORWARD
Our interconnectedness via internal and external networks makes cyber risks systemic to businesses, their profitability, and, in the
most extreme cases, their very survival. As the cyber risk landscape is constantly evolving, navigating cybersecurity challenges
is a formidable undertaking. Organizations must be dynamic in their preparedness and response efforts and apply an agile
approach to effectively adapt to shifting developments. Organizations must approach cyber security holistically, implementing
technologies as well as education to achieve network resiliency and ensure business continuity.
Based on our analysis of the survey results, the survey partners make the following final recommendations on the path middle-
market organizations must take to stay ahead of the next threat.
EVALUATE NEW TRENDS FOR SECURITY AND COMPLIANCE IMPACTS
Establishing a program to maintain awareness of regulations, standards, and framework changes is crucial to implementing minimum
controls and avoiding non-compliance penalties. Looking ahead, organizations should consider complementary technologies that will
help with maintaining compliance while also focusing on achieving security objectives. Emerging trends such as blockchain, artificial
intelligence, and machine learning should be evaluated to determine business opportunities and potential impacts to current operational
processes. Organizations that can harness these technologies in a compelling way may reap the benefits of competitive advantages. In
addition the continued usage of service providers and other existing technologies can support cyber professional staffing gaps.
A compliant program does not always guarantee a secure program, but compliance can support security goals. Despite considerable
efforts from internal IT teams and external organization involvement, there may still be concerns about whether requirements for a
framework, regulation, or standard have been completely satisfied or are sufficient. In such cases, consultants can be leveraged to
provide a second review to validate compliance activities. Engaging with consultants can help to address ambiguity in compliance
requirements, provide insight on industry best practices, and identify actions needed to work toward compliance.
PREPARE FOR BUSINESS TRANSACTION OPPORTUNITIES
The middle-market is where many business transactions take place. If the possibility of a merger or acquisition is on the horizon,
organizations should undergo assessments to determine the readiness of such activities. During mergers and acquisitions, IT due
diligence efforts will focus on understanding the IT governance in place, which includes reviewing IT policies, procedures, and related
items. For organizations that do not have regulatory or standard requirements, additional lead time may be needed to attain a suitable
level of maturity in the IT environment to support a favorable transaction. However, the internal operational benefits remain. In addition, if
the possibility of a merger or acquisition is on the horizon, such governance documentation should be evaluated to support the viability
of the transaction.
These types of IT due diligence efforts run more smoothly if the governance structure and documentation has been established before
negotiations begin. This is where other IT frameworks can be used to facilitate standardization and leading practices. In addition,
consultants can be invaluable in conducting assessments from the readiness stage to the completed transaction to support merging
IT environments. The absence or the inadequacy of such governance documentation could adversely impact the transaction opportunity.
25
360° CYBER RISK SURVEY
LEVERAGE INFORMATION SHARING GROUPS
Organizations have often viewed information sharing about incidents and threats apprehensively. However, the collaboration
between private and public sector entities continues to be advocated for to increase resiliency to cybersecurity threats.
Viewing threats with this team mindset has led to the development of Information Sharing Analysis Organizations (ISAOs),
which are designed to facilitate information sharing as close to real-time as possible. There are ISAOs for various industries
that should be leveraged as another valuable resource in combating cyber risks.
CONSIDER CYBER INSURANCE BENEFITS
When evaluating the purchase of cyber insurance, organizations should examine their resiliency and ability to survive a cyber-
attack. Much like life insurance, organizations that have not planned accordingly or set aside adequate reserves to pay for
the mitigation services, lawsuits and potential business interruption issues associated with a cyber-attack will perish. Cyber
insurance is a relatively new class of insurance. Due to the fast-changing nature of cyber threats, and lack of historical claims
data, pricing and coverage do vary from carrier to carrier. Yet organizations that do not make cyber insurance a part of their
defense-in-depth model leave themselves exposed to large financial losses. For this reason, as well as the incident response
resources that cyber policies provide, organizations should consider this as part of their cybersecurity platform. Organizations
that do not have a fortress balance sheet to absorb large losses, should evaluate their financial resiliency as well as their digital
footprint, cyber incident history, risk profile, and overall health of their IT environment to assess if cyber insurance is necessary.
A proactive IT environment, including risk mitigation strategies that embrace a layered approach of technology, processes, and
trainings, can ultimately lead to more efficient underwriting. This will yield expanded coverage and lower pricing. While cyber
endorsements on traditional business owner’s policies provide a basic level of protection, working with a broker to find unique
stand-alone solutions can ensure better protection in the event of an attack. Middle-market organizations should consult with
various brokers to identify reasonable cyber insurance policies that are best suited for them.
26
360° CYBER RISK SURVEY
ABOUT THE SURVEY PARTNERS
ABOUT ARONSON LLC
Aronson LLC provides a comprehensive platform of assurance, tax, and consulting solutions to today’s most active industry
sectors and successful individuals. For more than 55 years, we have purposefully expanded our service offerings and deepened
our industry specialties to better serve the needs of our clients, people, and community. From startup to exit, we help our clients
maximize opportunity, minimize risk, and unlock their full potential.
Our Technology Risk Services Group offers comprehensive cyber security auditing and consulting services. Our consulting
focus areas include: cybersecurity; governance, risk and compliance; internal it auditing; and process improvement. For more
information, visit http://www.aronsonllc.com/services/technology-risk or contact our team today.
Payal Vadhani
Technology Risk Lead Partner
301.231.6259 | [email protected]
ABOUT RISK COOPERATIVE
Risk Cooperative is a specialized strategy, risk and insurance advisory firm licensed to originate, place and service innovative
risk-transfer and insurance solutions in all 50 states, D.C. and Puerto Rico. Risk Cooperative helps organizations address risk,
readiness and resilience through a comprehensive service and solution offering in partnership with leading insurance companies
and value-adding partners. For more information, visit www.riskcooperative.com or contact our team today.
Andres Franzetti
Chief Strategy Officer and Founding Member
202.688.3560 | [email protected]
ABOUT RIDGE GLOBAL, LLC
Unlike natural disasters or other events that can disrupt your business, cyber attacks occur every minute of every day in
every industry. While the threat cannot be eliminated, Ridge Global can help you aggressively assess and manage your
risk. We continually evaluate emerging tools to address evolving threats so you can be assured that you have access to the
best and latest solutions. Ridge Global was founded by Tom Ridge, the first U.S. Secretary of Homeland Security and 43rd
Governor of Pennsylvania, to help organizations decrease security risks. He has assembled a team of globally recognized
experts who offer clients strategic counsel on identifying, preparing for and mitigating enterprise risk. For more information,
visit www.ridgeglobal.com.
Chris Furlow
President
202.833.2008 | [email protected]
27