To Combat Cyber Risk, Businesses Invest in Resilience

To Combat Cyber Risk, Businesses Invest in Resilience
Cyber Labs

06 of 12

This insight is part 06 of 12 in this Collection.

August 31, 2023 12 mins

To Combat Cyber Risk, Businesses Invest in Resilience

To Combat Cyber Risk, Businesses Invest in Resilience Hero image

Cyber security is a growing business concern, but many companies still need to improve their cyber resilience in key areas. Aon’s 2023 Cyber Resilience Report explores how global industries are protecting themselves against cyber threats.

Key Takeaways
  1. Though businesses are spending more on cyber security, many of them still lack the critical IT controls needed to keep systems and data safe.
  2. The finance and insurance, healthcare and manufacturing industries all made progress in building cyber resilience, but gaps in backup security and other risks remain.
  3. In addition to applying industry-specific solutions, companies can focus on holistic solutions to reduce cyber-related operational, systemic and reputation risks.


While companies are increasingly investing in the security of their technology, systems and data, cyber risks continue to proliferate. Cyber-security vulnerabilities can threaten business continuity and cost organizations millions of dollars per incident: the global average cost of a data breach was $4.35 million in 2022. In addition to external dangers such as ransomware and phishing attacks, insider cyber threats are raising the threat level for businesses across sectors. Research shows that while leaders understand the importance of cyber security, many CEOs struggle to make decisions in this area.

What can leaders do to not only build their organizations’ cyber security but also strengthen their cyber resilience? Aon’s 2023 Cyber Resilience Report collected data from more than 2,000 clients to explore how businesses around the world are managing a rise in cyber risks, where organizations are making gains and which actions could help them prepare to face future cyber security challenges.

In Depth

Aon’s Cyber Resilience Report found that businesses overall have increased their cyber-security budgets from 2020 levels, with improvements in data security, application security, remote work, access control and endpoint and systems security. The insurance market could be a driver in the move toward greater cyber health, because cautions from insurers have motivated businesses to implement more stringent cyber security controls. Though certain threats — such as vulnerability to inside attacks, reputation risk relating to a cyber incident and insufficient backup security for critical company data — persist, some industries appear to be making notable progress in improving their stance on cyber.

Finance and Insurance: Improvements and Imperatives in Cyber Security

The finance and insurance sector show gains in cyber readiness in 2022, with small and midsize companies moving beyond a basic level of cyber maturity. Clients in this industry also indicated that they have increased their cyber security spend from 2021 levels, with 8 percent of their IT budgets devoted to this area last year. The use of multifactor authentication (MFA), a valuable security protection for financial data, also appears to have increased in 2022; in the U.S., deployment of MFA controls rose to 80 percent from 65 percent in 2021.

However, the finance and insurance sectors still face challenges in cyber resilience. With more customers turning to mobile banking and new forms of digital payment, the growing fintech sector is vulnerable to data breaches, malware and ransomware. And ransomware isn’t only a threat to fintech providers: the finance and insurance industry as a whole reported a 38 percent increase in ransomware claims from fourth quarter 2022 to first quarter 2023.

To Combat Cyber Risk, Businesses Invest in Resilience Image 1

Preparing for ransomware attacks is just one of the actions the finance and insurance sector can take to build cyber resilience. Optimizing cyber insurance, mapping and managing third-party risks, and running a patch management program are also important steps in the journey to stronger cyber security. Finance and insurance businesses in Europe will also need to prioritize meeting the standards of the Digital Operation Resilience Act (DORA) in the next two years.

Cyber Successes and Vulnerabilities in Healthcare

The healthcare industry faces unique cyber-security challenges, complicating the industry’s path to cyber maturity. The need to protect sensitive patient data, an industry-wide IT talent gap, potential liabilities related to regulatory compliance and a move to new technology rooted in the Internet of Things (IoT) are all critical considerations for healthcare companies. In this industry, cyber attacks are not only disruptive and costly — they can also lead to harmful or life-threatening outcomes for patients.

Like the finance and insurance sector, the healthcare industry devoted 8 percent of IT budgets to security in 2022. But the threat of ransomware looms large in healthcare as well: Aon’s Cyber Resilience Report found that while U.S. healthcare companies made notable improvements in protective strategies such as multifactor authentication, U.K. and EMEA healthcare companies lacked 41 percent of critical MFA controls.

To Combat Cyber Risk, Businesses Invest in Resilience Image 2

To mitigate the risk of ransomware and other cyber threats, the healthcare industry can develop a better understanding of its cyber-security exposures. Building cyber resilience through collaboration with internal enterprise operations emergency centers can also strengthen cyber maturity across a healthcare organization. Improving the relationship between business continuity planning and incident response preparedness can contribute to greater alignment in cyber strategy as well. In Europe, the healthcare industry will also need to follow the new Network and Information Security (NIS2) Directive or face potential fines for noncompliance.

Cyber Resilience in Manufacturing

Manufacturing relies on networks of partners of varying sizes and capabilities, and the interconnectedness of the industry expands the footprint for cyber risk. A severe cyber incident has the potential to disrupt the supply chain, and the many smaller companies in the manufacturing ecosystem may have fewer resources to combat a cyber attack. Vulnerabilities in industrial IoT and the lingering effects of COVID-19-era pressures add to the challenges in building cyber resilience in manufacturing.

The industry is making strides in cyber maturity, however. Outpacing finance and insurance and healthcare, manufacturing companies allocated 8.5 percent of their IT budgets to cyber security in 2022. Though manufacturing still has room to grow in terms of cyber health, U.S. and U.K. manufacturers surpass other sectors in operational technology.

To Combat Cyber Risk, Businesses Invest in Resilience Image 3

As in other industries, cyber resilience in manufacturing begins with understanding and managing risk. Focusing on response and recovery strategies and segmenting systems — including a separation of IT and operational technology to minimize in-network threats — could help to build a stronger cyber risk profile. Manufacturers in Europe must also turn their attention to regulatory compliance, upholding the standards outlined by the European Union Agency for Cybersecurity; U.S. manufacturers will need to comply with guidelines set by the National Institute of Standards and Technology.

A Path to Better Decisions in Cyber Resilience

To build cyber resilience, business leaders can consider a holistic approach. IT, finance, HR, risk and other departments are all susceptible to cyber attacks, and all departments can benefit from improvements in cyber strategy. The Aon Cyber Resilience Report identifies steps businesses in any industry can take as they progress toward greater cyber maturity:

  • Backing up information can help reduce operational risk, and a combination of cloud storage and instituting critical IT controls could mitigate the impact of a ransomware attack.
  • Risk modeling, data intelligence and security controls can all help to manage systemic risks that may come from dependence on a limited number of tech services or jeopardizing their cyber security with shared usage of key technologies.
  • Increasing investment in multifactor authentication can add an important layer of security in manufacturing and other industries, especially across the supply chain.
  • Strengthening data security and building cyber awareness could help to combat the risks of phishing attacks and attempts to buy and access data.
  • Developing security operations centers could help businesses close a critical gap in cybersecurity — 40 percent of companies surveyed lacked controls in this area.
  • Investing in cyber insurance may be able to help minimize financial loss should a cyber incident occur. Insurance can also control the fallout from accompanying reputation risks and better maintain the cyber resilience that is increasingly crucial in an interconnected, digitized world.

Cyber Disclaimer

Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates. The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner