Earlier this year, Zurich joined with ESADE Center for Global Economy and Geopolitics (ESADEgeo) to release Risk Nexus: Global Cyber Governance: Preparing for New Business Risks. The report examined the current and evolving nature of cyber risk, examined the existing global governance framework and proposed new paths to tackling the current disorder in cyber space. Among the report's findings is the need for the private sector to employing practices which can help increase overall cyber resilience.

Total prevention of a breach may not be feasible but there are certainly measures that businesses can take to help increase their level of resilience. To that end, it's very important for companies to create rapid detection mechanisms and to establish protective barriers—segmenting aspects of the corporate network via additional firewalls and rigorous access control. When data is segmented, a breach in one area of a corporate network might not automatically expose all segments. They are separately protected.

There also needs to be an information security function dedicated to oversight of the following best practices: regular monitoring of the network, examining potential areas of exposure, performing regular updates, ensuring encryption is in place where needed, guaranteeing that technology is kept current and creating awareness and understanding of the key role of human behavior.

(Shutterstock)

Cyber security not just an IT issue

However, cyber security is not merely an IT issue. Management should encourage an enterprise risk management approach promoting awareness of cyber risks throughout all levels and functions of an organization. Employees should receive regular training and communication on the importance of data and record management, protecting corporate assets and information and really understanding their greatest areas of vulnerability including phishing attacks and other manipulations of human nature. It's critical that they are engaged in ongoing security awareness trainings so that they recognize the potential impact of their actions and how to respond if they find that security has been compromised.

[Related: Almost 70% of businesses have been hacked in the last year, and 36% have no cyber coverage]

Businesses also need to look beyond their four walls, being cognizant of interconnectivities that extend outside of their organization and could lead to a ripple effect of damage. Vendors and other business partner relationships should be carefully vetted and considered when implementing a cyber-security strategy, what are their IT controls and their business continuity preparedness? What do business partners contribute to the company's overall exposure? For instance, if a healthcare organization outsources records management to a third party and that party is hacked, what is the impact? How is the business partner prepared to elevate communication of the issue to the company? What does the contract language state about IT controls, communications, and limitations of liability? Being fully aware of these pain points is absolutely vital for being able to quickly recognize when a breach has occurred, identify the issue and mitigate the damage.

Have a tested response plan in place before a breach occurs

Finally, organizations must make sure they have a tried and tested response plan in place before a breach occurs. There needs to be designated points of contact and escalation in the event of a breach and a clear set of protocols outlined for mitigating the damage. The plan needs to be documented, and it should be reassessed and tested on a regular basis by pinpointing a business's greatest exposures, identifying stakeholders and running table-top exercises to account for various breach scenarios. Business continuity planning needs to be top of mind.

The good news is that the awareness of cyber security importance is undoubtedly on the rise. For the past four years, Zurich has teamed up with Advisen Ltd., to produce an annual cyber security survey of risk managers and executives. The results have shown us that the percentage of boards and executives who consider cyber security a top priority has increased every year.

We are seeing that firsthand as well—demand for our risk engineering services has increased tremendously over the past few years and we've had more than 50% growth in our cyber-related products year over year since 2010—and we expect that to continue. C-suite and board interest is key—ultimately, investment and budget decisions are made at that level and it is crucial that the decision-makers are well-versed on the latest threats and risk management capabilities impacting their businesses. With billions in spending on IT and technology budgets across the board, experienced oversight of people, processes and technology needs to be in place at the highest echelons of corporate governance.

It's important to remember that cyber security continues to be a rapidly changing environment—and we see nothing that suggests that this won't continue. This is a dynamic marketplace. The risks are going to change and our customers are going to continue to have to adapt to manage those risks.

What is clear, however, is that the best path to resolution is creating a mindset of resilience.

Bryan Salvatore is president of Zurich North America Commercial's Specialty Products business unit, a product-focused business serving a diverse set of customers and distributors. The group delivers innovative solutions for unique and challenging risks, with lines of business that include domestic and international surety, political risk/trade credit, accident & health, casualty (excess and lead), healthcare professional liability, and management liability (directors & officers, employment practices liability, crime, security & privacy).