A series of initiatives designed to boost cybersecurity awareness among Italy’s small and medium-sized businesses (SMEs) has revealed a high level of cyber insurance adoption but also uncovered a lack of preparedness in crucial areas.
Almost two thirds of Italian companies that participated in a recent cybersecurity workshop either have a cyber insurance policy or are in the process of getting one. However, while a 64% rate of penetration is to be welcomed in a market dominated by SMEs, just 33% have a continuous cybersecurity training programme in place and 34% have never allocated any resources to cybersecurity-related activity.
Furthermore, less than half of Italian companies have a crisis management team in place to manage the aftermath of a cybersecurity breach, while more than a quarter (27%) have no business continuity systems.
The statistics raise concerns about the level of cyber resilience among Italy’s corporates.
The Cyber Academy, a series of webinars on cybersecurity, was launched by Italy’s risk management association Anra and broker Willis Towers Watson. The initiative was designed to promote cybersecurity and collect feedback from risk managers on how to improve digital resilience.
It follows the recent creation of a National Cyber Security Perimeter and a Cyber Security Agency, which has introduced mandatory requirements not only for 223 so-called ‘critical’ organisations but also for all other businesses along the supply chain.
At the same time, the pandemic has led to a massive use of remote working and greater adoption of digital technology, thereby increasing companies’ exposure to cyber risk and amplifying the importance of cyber resilience.
Cybersecurity is also likely to become a fundamental requirement, given that digital transformation is a stated objective of the National Recovery and Resilience Plan.
For the participating companies in the Cyber Academy, the use of risk analysis, definition of mitigation measures, monitoring of cyber incidents and management of third-party risks were all identified as methodologies that must be adopted.
And while the relatively high level of cyber insurance adoption is to be welcomed, there is also recognition that insurance coverage is not enough to build real cyber resilience.
The workshops also identified employee training as one of the first areas in which to invest, in order to create an awareness of risks and spread the use of adequate and updated technological procedures and tools.
Indeed, human error or distraction is the greatest vulnerability according to 47% of Cyber Academy participants, followed by the use of inadequate defense systems (45%). It is therefore worrying that just a third of Italian companies have continuous cybersecurity training in place, despite acknowledging the importance of employee awareness.
Another area identified as lacking maturity was business continuity and managing the secondary consequences of a cyberattack, which can often be more destructive than the initial incident. Despite this, 27% of the companies involved stated that they do not have business continuity systems. Furthermore, half (49%) of those that have adopted them say they are not adequately formalised.
Investing in business continuity systems but not completing the work to allow those systems to work when activated is a lost opportunity that companies should instead seize, with a view to continuous improvement and long-term resilience.
Another fundamental element for building cyber resilience is the presence of a crisis management plan, with codified roles and procedures that allow the consequences of a possible attack to be stemmed. Less than half of the companies involved (43%) have a crisis management team, which in 44% of cases has never carried out exercises.
Establishing an organisational structure in charge is the first step, but it is not enough. It is equally essential to have a testing programme that will enable it to respond in a coordinated manner to any crises. Only an aware, trained and competent team can really make a difference.
While the path to cyber resilience may seem long, knowledge of cybersecurity is rapidly expanding among Italian companies and professionals. For example, 26% of organisations have carried out analysis of specific cyber scenarios and 35% of those have quantified their exposures to the point where they are able to make a generic estimate of their maximum economic exposure to the identified scenarios.