Cyber threats are no longer distant possibilities but daily realities for organizations of every size and sector. Rising costs from breaches, regulatory scrutiny, and supply chain vulnerabilities have elevated cybersecurity from a technical function to a central business risk.
Companies are being forced to consider not only how to defend against attacks but also how to recover quickly when disruptions occur.
Greg Eskins, global cyber product leader and head of the Global Cyber Insurance Center at Marsh, described how organizations are approaching cyber risk at a time when threats are growing more complex and costly.
“Cyber risk remains real and ever-present, providing an opportunity to implement key measures that can make a material difference in your road to resilience,” Eskins said in his cyber risk insights.
He added that cyber threats are no longer confined to technology departments. “It’s moved from an IT department issue to one that makes, and even drives, the agenda at board meetings,” he said.
Eskins said that organizations are making progress by focusing on the basics. “Cyber risk resilience is making good progress. That’s largely due to organizations focusing on the basics – prioritizing and implementing effective and robust cybersecurity controls,” he said.
“These controls can include measures such as strong access controls, regular software updates, encryption of sensitive data, and multi-factor authentication,” he said. “Such incremental improvements quickly add up and can significantly reduce the risk of cyberattacks and breaches – even from sophisticated attackers.”
Cyber threats change as new tools emerge, Eskins said, noting that artificial intelligence is currently shaping both defenses and attacks.
“Many organizations are exploring the use of AI tools to bolster their cyber defenses, for example by filtering the flood of alerts they generate so the most urgent are sent to a human analyst. However, there is also concern about attackers using AI to find weaknesses or even write malicious code.”
Eskins also raised concerns about supplier-related risks. “Even organizations with their own secure and well-managed systems often don’t know how secure their third parties are, let alone fourth parties, and others even further down the chain,” he said.
“A compromised third party can cause disruption by making a supplier unavailable and by opening a route for attackers to infiltrate connected organizations.
“Third parties often handle sensitive data that, if exposed, could have consequences including reputational damage and regulatory sanctions, such as those under GDPR in Europe,” he said. “The US hasn’t taken such a strict stance over privacy yet, but changes are expected.”
To build resilience further, Eskins said companies should examine their own tolerance for cyber risk. “Which assets and services are mission critical and must absolutely be protected? What would it cost – in money, time, and reputational damage – if exposed or disrupted?” he said.
“Focus on ways to recover mission critical operations in the event of a disruption,” Eskins added. “Use tabletop exercises, vendor assessments, and case studies to help determine what the right defense and recovery measures should be. Establish robust processes and policies, so that everyone knows what they should be doing day-to-day and when a crisis materializes. Finally, build this into a plan for recovering from an incident – and test it regularly.”
Eskins emphasized that strengthening defenses does not always require heavy investment. “Security improvements need not be expensive. There are plenty of resources available to help,” he said.
“Organizations should make use of internal experts and ensure they are involved in the planning of new cybersecurity platforms and cyber risk responses,” he said. “Knowledgeable partners can help too.”
“Organizations can also connect with informal networks, such as peer organizations and trade bodies. These can often help with sharing best practice and offer warnings of emerging risks,” Eskins said.
Eskins closed by underscoring that resilience must be sustained over time.
“In the ever-changing landscape of cyber threats, there is no finish line,” he said. “It is essential not to overlook the importance of maintaining your best cyber risk resilience practices and using threat intelligence to stay ahead of potential risks. It is important to recognize that maintaining business resilience amid the increasing complexities of enterprise, operational, and third-party cyber risks should be an ongoing effort throughout the year.”
What are your thoughts on this story? Please feel free to share your comments below.
