Report: European Companies Have Only ‘Basic Understanding’ of Cyber Risk

An employee of the European Cybercrime Centre (EC3) works on his computer in The Hague. The EC3 is hosted by Europol, the European law enforcement agency. The Centre will be the focal point in the EU’s fight against cybercrime, contributing to faster reactions in the event of online crimes.
Photo: Ilvy Njiokiktjien/AFP/Getty Images
Despite an increased concern about the serious impact of cybersecurity-related incidents, European organizations “have under-investigated cyber risks and need to do more to assess their exposures,” according to a recent report.
The European 2015 Cyber Risk Survey Report from Marsh notes that an “overwhelming majority” (79 percent) of organizations have, at best, “a basic understanding of their cyber risk profiles, putting them in a relatively poor position to prioritize their risk mitigation efforts and risk transfer strategies.”
Meanwhile, one in four organizations surveyed don’t even consider the threat of cyber risk to be of sufficient concern to get on the risk register and 30 percent place the risk outside their top 10 risks.
A main reason that cyber risk appears to be such a low priority is that IT departments carry the primary responsibility for mitigating the threat, the report said, noting “the oversight of cyber is located in a part of the business that doesn’t have the capability and/or authority to carry out the financial evaluations and more detailed scenario analysis required to adequately assess the risk posed to the organization.”