As the home of over 700 million people, Europe is one huge continent that has rapidly embraced technology and the digital age. With Europeans making use of technology such as Chip and PIN, contactless payment cards and online shopping, there's seemingly no escape from this digital revolution.Absolutely paramount to the success of companies that conduct their business digitally and something that's vital for the protection of those that interact with those companies, is Cyber Security.


How many European businesses are considering this? And what are they actually doing when it comes to IT security policies, methods and integration? Helping to answer those is Marsh, a global leader in insurance brokering and risk management, that has now conducted a survey in order to find out.

A survey highlights these problems.

Marsh's European 2015 Cyber Risk Survey Report not only hopes to look at how European businesses are tackling the subject of cyber security, but on a much more specific level, it's an in-depth study on their attitudes towards it as well as "the processes they have in place, and their understanding and use of cyber insurance", the firm explains. But, rather than being a way to scare consumers or keeping shareholders awake at night, the report also paints a better picture where the problem areas are and security experts can do to address them.

To gather its benchmarking data, Marsh surveyed risk professionals from large and medium-sized corporations across the continent.

Security Experts Raised a few points.

Many of the points raised by the risk professionals were negative ones, as they have deep concerns about what their organisations aren't doing or thinking about.

  • Asked "to what extent do you believe your organisation has a clear understanding of its exposure to cyber risk?", just 21% of respondents said that their organisations have a complete understanding. 49% said that they have a basic understanding, 26% said that they have a limited understanding and 4% of organisations have no understanding whatsoever.
  • As for where IT security features "in the corporate risk register" 30% said that it falls outside of the top 10, 28% said it was a top 10 risk and 17% said that it's a top five risk. That would be positive, except for the fact that the remaining 25% of organisations don't feature it on their risk registers at all.
  • In terms of who takes responsibility for reviewing and managing cyber risks, 65% said that it's up to "IT function including security", 11% said that it's left to the board to decide, 11% is up to the risk management team and 13% is left to other.
  • Also important to note is that a massive 68% of European cyber security experts said that their firms had not put together loss estimates in the event of a breach/cyber attack. 13% estimated losses of less than 1 million Euros, 9% estimated losses of between 1 and 5 million Euros and 11% estimated losses of higher than 5 million Euros.

Marsh's survey shed light on a few possible areas for improvement.

The two main ones being the lack of control over the cyber risks of suppliers and affiliate companies, and the lack of "proper oversight" regarding companies' failure in assessing cyber risk.

Just 57% of respondents said that they had identified "one or more cyber scenarios that could most affect [their] organisation", meanwhile, of those whose organisations had identified cyber risk scenarios, just 33% of respondents said that they had "a plan in place to access sources of appropriate funding to deliver both the required amount of funds and to be accessible at the point when it is needed". Though, 61% of respondents said that their organisations either definitely or partially had incident response plans in place.

European corporations need to take cyber threats more seriously.

This includes everyone all levels of the business, from the financial wing, to the IT security department and those who make key business decisions all being involved in how they tackle these threats, how they fix potential attack vectors and how they handle or restore shareholder confidence after a breach.

In terms of external and affiliate organisations that a company may work with, Marsh describes these as "one of the key vulnerabilities to companies’ network" largely due to the fact that "while organisations can control their own networks, they have much less control over those of the suppliers and affiliates that they might be linked to". Additionally, 77% of respondents say that their organisations do not assess these external organisations' cyber policies.

European Businesses must improve their Cyber Security.

Now that you have a rough idea of what aspects need work, it's time to consider the tangible actions that you can do to address them.

First and foremost, security testing is something to consider. With penetration testing and vulnerability testing, cyber security experts can figure out how an attacker may be able to breach your company, penetrate its network, access its data and other assets of its digital ecosystem, figuring out the attack vectors and methods that they may use. With this information you can potentially stop attackers in their tracks, preventing a loss of data, something which could lead to financial and reputational losses for your company.

The other action that you can take is making use of a secure software development life cycle (secure SDLC). With a secure software development life cycle, any piece of software that your company releases, such as a mobile app, will have security baked in from the very first step. Not only is this useful when it comes to closing off an attack vector (because attackers can and will try to use your software as a way of gaining access to you and your customers' private data) but it also helps to improve your company's attitude about security and just how important it is – which, as we know from Marsh's survey, is one of the key things that needs to be improved within European businesses.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.