Cyber risk is not something that organizations can suppress or reduce to insignificance. Because companies now rely on IT and technologies such as computing and mobile devices and allow employees to work on their own devices, incidents will happen and preparations for incident response are vital.
The news, in this respect, is mixed. Almost two-thirds of survey respondents say their organization has formally assigned roles and responsibilities to key individuals as part of an incident response plan. However, few have made contingency plans with preferred vendors. Less than half said they have a strategy for communication to the general public in case of a cyber risk incident. The public sector is doing better in this respect, with more than 60 percent of respondents saying they have such a strategy.
Organizations surveyed are introducing new systems and standard practices to mitigate information security and privacy risk. Three out of four respondents said their organization has introduced new IT infrastructure and more than two out of three now regularly update their antivirus software, while a similar proportion have introduced secure configurations for network devices such as firewalls, routers, and switches.