New US research points to a broad risk awareness gap between corporate IT managers and their risk management colleagues, writes Janet Lipski.

Contagious disease wards are no match for the internet when it comes to breeding viruses, but a new survey by insurer St Paul Companies shows that most businesses largely ignore the dangers of the networked world. Despite the rise of e-commerce and growing evidence of the associated risks, US companies continue to underestimate the dangers, and are failing to train employees adequately to deal with them. The problem is exacerbated by poor communication between IT and risk managers.

The study shows that the inclination to take e-risks seriously is not great. "Only one-third of those surveyed said their companies were more likely to identify and manage e-risks than they were a year ago," says Bill Rohde, President, Global Technology, at St Paul. Part of the reason is that IT managers, who are aware of the risks, are not talking to risk managers, who are not.

For the second year running, market researchers Schulman, Ronca and Bucuvalas Inc (SRB) conducted a survey of the e-exposure of 460 large and mid-sized US companies. The results, published in The E-Frontier 2002: Continuing Threats to Corporate Risk Management, reveal that there has been little or no development of companies' internet risk protection since 11 September 2001, and that the gap between risk managers and IT managers, is broad.

SRB President Dr Mark Schulman says, "We found in last year's survey that many risk managers felt reluctant to intrude into their companies' IT departments, often because they felt under-prepared to grasp the technical aspects." He adds that the latest survey reveals the seriousness of the gap, which poses a significant risk for many US companies.

The researchers interviewed a combined total of 500 IT managers and corporate risk managers responsible for their firm's insurance coverage. Among IT managers, 28% reported losses as a result of hackers, computer viruses, or denial of service, compared with only 1% of risk managers. However, while IT managers prove vigilant in spotting such perils, 37% say they do not interact at all with their counterparts, while the rest spend only a little time working together on cyber-risk issues. Risk managers get more involved only when losses are significant, or the potential for a lawsuit is high. It is no surprise, then, that almost all IT managers (90%) believe that only half of their risk manager counterparts have the same level of understanding of cyber-risk as their own.

This lack of interaction clearly reflects the laid-back attitude taken by companies towards internet risk. Less than half of the companies surveyed had developed employee awareness programmes for such risks. That goes some way to explain the poor ratings given by risk managers and IT managers to employees who handle sensitive data, or have access to corporate databases. About 75% of both groups considered employee understanding of e-risk as 'not very good' or, at best, 'fair'. Rohde is optimistic, nevertheless, that this problem can be tackled through better education.

The continued reluctance of US companies to increase their vigilance over internet-related risks is all the more surprising after 11 September. "The heightened attention to security that resulted from last year's attacks needs to extend to cyber-risks," says Rohde. "A company that conducts business via the internet opens itself up to a new set of risks and dangers, and those risks must be better understood, quantified and managed." Only 20% of IT managers and 22% of risk managers say that their senior management has been more involved in assessing and managing cyber-risk since the attack, while few risk managers (11%) or IT managers (16%) agree that their departments are working more closely to identify and manage internet risks. It is therefore not surprising that more than 80% of risk managers say that their companies are unlikely to purchase e-risk insurance coverage.

Meanwhile, the results of a separate survey show that a staggering 80% of 282 small and mid-sized companies surveyed in the US are not sure whether their current insurance policy covers cyber-risks, according to The Hartford Financial Services Group. "This uncertainty is not surprising," says Judy Blades, executive vice president in charge of business insurance, clearly unmoved by the results. "Most standard business coverages were established before the internet became a common business tool. It has only been in recent years that problems associated with the web have come to the fore."

The study found that nearly all the companies surveyed were using the internet for e-mail and web surfing; 63% of mid-sized businesses and 42% of small businesses had web sites for information purposes, while 13% were currently using the internet for e-commerce. Hartford found that the more 'cyber-savvy' businesses were particularly worried about lawsuits involving online copyright infringement and privacy. According to attorneys who specialise in this type of litigation, defence costs alone for these cases can exceed $100,000.

"The last thing you want is to be facing a $200,000 lawsuit and then find out that your policy doesn't cover your web site," says Blades. "Companies should talk to their independent insurance agent about their current and future online activities to make sure they have the appropriate coverage."

Janet Lipski is a freelance journalist