Survey: Companies Underestimate Cyber Risks

The survey, released by The St. Paul Companies, a Saint Paul, Minn.-based property-liability insurer, queried 501 IT and risk managers at 460 U.S. firms.

Most respondents said the events of Sept. 11 had little impact on the way they manage cyber risks and did not result in increased attention to Internet security from upper management, according to the survey.

Three out of four respondents said they use technology such as antivirus software and firewalls to protect against Internet risks. But they aren't training employees about the risks or about corporate security protocols, Bill Rhode, president of global technology underwriting at The St. Paul Companies, said in a press conference held here.

"Companies are underestimating the risks and ignoring their weakest links, their employees," he said.

For example, an employee lacking understanding of security protocols may unwittingly release sensitive corporate data via e-mail, he said.

The survey indicated there is a big communication gap between IT managers and corporate risk managers, who are "out of the loop" when it comes to assessing cyber risks, he said.

Rhode said it's hard to quantify Internet risks but added, "From a smaller company's perspective, it could potentially put them out of business."

An Internet worm, for example, could cause a business interruption that a small company couldn't handle, he said. A large company might be able to sustain itself through such a business interruption but could rack up costs to protect themselves legally, depending on the cyber event, he said.

Schulman, Ronca and Bucuvalas, a New York-based opinion research firm, conducted the survey on behalf of The St. Paul Companies earlier this year. Companies polled in the survey have annual revenue ranging from $1 million to $1 billion and represent a variety of industries.