We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X
Canada CA
Americas
Asia Pacific
Europe
Middle East & Africa
English EN

RESEARCH AND BRIEFINGS

Embrace of New Technology Adds Further Cyber Risk Complexity

 


Businesses are enthusiastically embracing technological innovation, and most say the benefits outweigh any risks. But assessment of cyber risk associated with new and transformative technologies is not as rigorous and continual as it should be, according to our 2019 Global Cyber Risk Perception Survey.

More than three-quarters of 2019 survey respondents are adopting or considering at least one innovative operational technology — including cloud computing, proprietary digital products, and connected devices/IoT.

Even traditional sectors such as manufacturing expect almost 50% of the products they develop to be “smart” or “connected” in some way by 2020, opening up new revenue streams in data-driven services.

Question: For each of the following technologies, please indicate which consideration or usage scenario best applies to your organization. Artificial Intelligence/Machine Learning – 50% Blockchain – 32% Robotics/Process Automation – 59% Digital Products and Apps Developed by our Organization – 70% Connected Devices/loT – 74% Cloud Computing – 90% 77% have already adopted at least one of these technologies 76% are piloting or considering adopting at least one of these % of organizations that have adopted or are piloting/considering each technology Base: All answering, excluding don’t know responses: n=588-773 (2019)

Cybersecurity challenges can manifest whenever new technology is integrated into business infrastructure, bringing new and additional complexity to an organization’s technology footprint.

The security risks and exposures presented by new technologies must be weighed against the potential transformative business effects, and risk tolerance varies both by industry and by individual company. 

New Technology:  The Opportunity / Risk Spectrum 

Asked where their own organization falls on the new technology risk/benefit spectrum, half of respondents stated that cyber risk is almost never a barrier to new technology adoption, and a quarter of respondents had no strong views on the issue.

Question: For each of the following pairs of statements, please indicate which most strongly reflects your organization’s attitude. For most new technologies and products, the risk outweighs the benefit/opportunity to our business. 23% 27% in the middle The potential opportunities and benefits offered by new technologies and digital products are so compelling that risk is almost never a barrier to adoption. 50% % of organizations agreeing with each of the statements (presented to respondents as a trade off) Base: All answering: n=852(2019)

The prevailing preference is to embrace digital transformation despite potential security issues.

Still, 23% of respondents said that most new technologies present risks that may outweigh the potential benefits and opportunities. This risk aversion was especially common among smaller business firms (annual revenues under $100 million), regardless of sector.

Risk Uncertainty

Despite the enthusiasm for new and emerging technologies, there was uncertainty about the degree of associated risks. 

Scale: 1 minimal to never, 2 Slightly, 3 Moderately, 4 High, 5 Extremely High, 6 Don’t know. Cloud Computing: 5% minimal to never, 11% slightly, 21% Moderately, 28% High, 23% Extremely High, 12% Don’t know. Connected Devices/loT: 9% minimal to never, 7% slightly, 17% Moderately, 24% High, 25% Extremely High, 18% Don’t know. Digital Products and Apps Developed by our Organization: 13% minimal to never, 11% slightly, 21% Moderately, 24% High, 14% Extremely High, 17% Don’t know. Artificial Intelligence/Machine Learning: 19% minimal to never, 12% slightly, 20% Moderately, 16% High, 9% Extremely High, 24% Don’t know. Robotics/Process Automation: 21% minimal to never, 15% slightly, 19% Moderately, 16% High, 8% Extremely High, 21% Don’t know. Blockchain: 22% minimal to never, 11% slightly, 15% Moderately, 9% High, 6% Extremely High, 37% Don’t know. Base: All answering for each technology, varies from n=900(2019)

Cloud computing elicited the fewest “don’t know” responses regarding the degree of associated cyber risk (12%), while blockchain had the highest (37%).

The highest amount of uncertainty was expressed for the newest or most autonomous technology developments.

Need for Continual Risk Assessment

Assessment of cyber security risk is too often seen as an event that occurs at a single point in time — often, the initial exploration and testing stage — rather than a continuous evaluation at multiple stages of implementation.

Question: When adopting and implementing new technologies, such as those you have just identified, at which of the following stages is cyber risk typically evaluated in your organizations? Technology Adoption Lifecycle 74% Evaluate risk prior to adoption in some way 67% During the exploration/testing stage 24% When finalizing purchase/contract 54% Evaluate risks post adoption in some way 37% During onboarding/implementation 29% Post implementation/in use 25% When a cyber attack/incident occurs Only 36% evaluated risks both prior to and after adoption. Just 5% evaluate risks at all possible stages of the lifecycle 11% don’t evaluate at all Base: All answering, excluding don’t know: n=696 (2019)

Only 36% of organizations reported examining potential risks of new technology both before and after adoption, and just 5% said they evaluate cyber risk at every stage in the technology lifecycle.

Notably, the select group of organizations that evaluate cyber risks continuously throughout new technology implementation are also much more confident in their capabilities to manage or respond to cyber-attacks.

Armed with timely knowledge of potential security weaknesses or exposures, they are positioned to implement real-time improvements and develop contingency plans to manage risks involving these systems.

Trust in Technology Vendors

Assessment of new technology cyber risk is closely associated with the trust that organizations have — or lack — in the vendors that supply those technologies.

Innovative technologies do not necessarily add new cyber exposures to the organizations that adopt them.

Some innovative technologies may add new risks if they have not been built in accordance with optimal security standards, but in many cases, security is factored by design into the development of the technology or device.

One-third of organizations assume that technology vendors have already considered all relevant cyber risks and that further verification is unnecessary.

The converse view is not significantly greater: 40% of respondents said they “always perform their own due diligence” to verify security claims and built-in protections that vendors make regarding new technology.

your organization’s attitude. We trust that technology and digital product vendors have considered all relevant cybersecurity risks and embedded adequate security protections. 32% 25% in the middle We never accept security claims for new technologies or assume security protections are built-in we always perform our own due diligence. 40% % of organizations agreeing with each of statements (presented to respondents as a trade off) Base: All answering n=803 (2019)

Every company necessarily relies on a certain level of trust in its relationships with vendors and suppliers.

However, given the potential importance of technology platforms and services to core assets and operations, a rigorous, trust-but-verify stance can help ensure the validity and adequacy of protections pledged by third-party providers.

This heightened vigilance is especially important where new digital processes will be inherent to firms’ business models.

Read the full 2019 Cyber Survey Report produced in partnership with Microsoft. 

Marsh.com Login

Please log in to access the full marsh.com site.

Click here to login as colleague

Forgot password Register

*Required