New expert survey warns of the real potential for a catastrophic cyber event. And outlines the mitigations that matter most.

Cyber attacks are a well-known risk, but a new survey from CyberCube and Munich Re suggests many businesses still underestimate the potential for a widespread, disruptive malware event.

The report, released on 15 July, based on responses from 93 senior cybersecurity professionals across finance, IT, and infrastructure sectors, examines how prepared organisations are, and where they fall short.

hacker financial scam

How likely is another global malware outbreak?

Most experts surveyed consider another incident on the scale of 2017’s NotPetya or WannaCry attacks not just possible, but likely.

Some went further: while a malware infection affecting 10% of global systems would be surprising, it would not be unimaginable. A 25% infection rate, though far less probable, was still seen as a plausible worst-case scenario.

For risk managers, the findings reinforce that cyber threats have evolved beyond isolated IT disruptions. A major malware outbreak could trigger system-wide failures, with traditional risk frameworks struggling to keep pace due to the speed and interconnected nature of modern attacks.

How fast could a major malware attack spread?

The survey highlights how quickly malware can propagate.

A 5% global infection rate within a week was deemed “expected” by respondents. Hitting that mark in three days was viewed as unlikely but possible, while a 12-hour timeframe, though improbable, was not ruled out.

Such rapid spread would leave little time for containment, making pre-emptive measures critical.

Initial infection vectors fall into three main categories: software vulnerabilities, supply chain compromises, and operating system exploits. While phishing remains a common entry point, its limited scalability makes it less likely to fuel mass outbreaks.

Automated attacks exploiting unpatched systems or third-party software pose a greater large-scale threat.

Which mitigations actually work?

The report identifies several strategies that significantly reduce risk.

Consistent patch management, network segmentation, and reliable backups were rated most effective, potentially cutting both the likelihood and financial impact of an attack by 50% to 80%. No measure, however, eliminates risk entirely.

Some widely used tools, like antivirus software and extended detection platforms (XDR/MDR), were seen as only moderately effective.

Similarly, while employee training is often emphasised, experts rated it just ”somewhat effective” against social engineering, suggesting a gap between perceived and actual safeguards.

Are businesses overdependent on the cloud?

One of the report’s key insights is the extent to which critical business processes rely on cloud providers.

Industries like IT, finance, and health care reported ”high” or ”very high” dependency, while sectors like energy and construction showed lower reliance.

Smaller firms (£8m–£80m revenue) were most cloud-dependent, whereas larger enterprises leaned on hybrid architectures.

Outages lasting hours to days were deemed plausible, with multi-day disruptions rare but possible. Notably, a single-day outage of a critical cloud provider could cost firms 1% of annual revenue, a figure that escalates sharply for prolonged downtime.

What’s next for emerging risks?

The survey also explored evolving threats like IoT devices and AI-driven attacks.

Large language models (LLMs) are already being used to scale phishing campaigns, while industrial IoT vulnerabilities rank as a near-term concern.

Artificial general intelligence (AGI), though not yet a reality, was flagged as a longer-term wild card.

What should risk managers do now?

The report points to several strategic actions risk managers should consider:

  • Prioritise effective controls. Ensure patch management and network segmentation are embedded into enterprise IT policy and monitored continuously.
  • Reevaluate third-party exposures. Many malware attacks spread through trusted software updates or supplier networks. Supply chain cyber risk needs to be integrated into broader vendor assessments.
  • Test worst-case scenarios. Tabletop exercises should include rapid-spread malware simulations. How would your organisation respond if 5% of its systems were infected within 24 hours?
  • Bridge the board gap. Translate technical risk into financial language. The report found that many respondents expect financial losses equivalent to 1% of annual revenue from just one day of outage in a malware or cloud incident.
  • Ensure insurance adequacy. Reassess coverage against systemic events. Does your policy contemplate cloud-linked dependencies or mass-scale events that could impact entire sectors?

The bottom line? While foundational cyber hygiene remains essential, the survey underscores the need for strategic planning against systemic risks. 

As digital interdependence grows and attackers leverage tools like AI, businesses must treat cyber resilience as a cross-functional priority, not just an IT concern.

SR Q2 2025 Edition