For the third time in four years, cyber threats are the top overall concern for business decision-makers, according to a new study released by The Travelers Companies. According to the 2022 Travelers Risk Index, more of the survey’s 1,200 participants felt that today’s business environment is riskier than a year ago, and 57% think a future cyber attack on their organisation is inevitable.
While cyber threats were once again the leading concern of business decision-makers, other issues were close behind – a change from 2021, when cyber threats held the top spot by six percentage points. This year, 59% of survey respondents said they worried some or a great deal about cyber threats, followed by broad economic uncertainty (57%), fluctuations in oil and energy costs (56%), the ability to attract and retain talent (56%), and medical cost inflation (55%). Large increases were seen in concerns about oil and energy costs (a 16-point jump from last year’s 40%) and supply chain risks (54%, up from 43%).
“Cyber attacks can shut down a company for a long period of time or even put it out of business, and it’s imperative that companies have a plan in place to mitigate any associated operational and financial disruptions,” said Tim Francis, enterprise cyber leader at Travelers. “Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. It’s never too late, and these steps can help businesses avoid a devastating cyber event.”
Travelers warned that overconfidence in navigating the cyber landscape is creating a false sense of security among business leaders, with 93% of respondents saying they were confident their company had implemented best practices to prevent or mitigate cyber events. However, when asked whether their company had taken specific prevention measures, the majority had not; 64% don’t use end-point detection and response, 59% have not conducted a cyber assessment of their vendors, and 53% do not have an incident response plan.
Many companies don’t even utilise simple cyber prevention tools such as multifactor authentication (MFA). According to the report, 90% of respondents said they were familiar with MFA, but only 52% said their company had implemented it for remote access. This is despite Microsoft stating that 99.9% of account compromise attacks are blocked by adding MFA to verify a user’s identity, and Arete stating that 94% of ransomware victims did not use MFA.
Other survey findings included:
- The cyber-specific concerns that stayed in the two top spots were suffering a security breach or system hack (57% said they worried some or a great deal) and a system glitch causing a company’s computers to go down (55%). Becoming a cyber extortion or ransomware victim moved from eighth place to third this year at 54%
- For the seventh straight year, there was an increase in the percentage of survey participants who said their company had suffered a data breach or cyber event. This year, 26% said their company had been a victim of a cyber event, with nearly half of those saying the event had occurred within the last 12 months
- Of those who said their company had suffered a data breach or cyber event, 71% have been victimised more than once
- Nearly 75% of respondents said they believe having a cyber insurance policy was critical, but the percentage who said their company had purchased coverage was 59%, up only three points from last year. Small businesses accounted for the largest increase of cyber policy purchasers, up from 30% in 2021 to 38% this year
“Multiple cyber attacks might not be random – if you were vulnerable before and don’t take appropriate action as a result, you continue to be at risk,” Francis said. “It’s important to take the prospect of a cyber attack seriously and to put your company in position to successfully manage a likely event.”