22 Oct Cyber survey reveals gains and gaps in corporate cybersecurity measures
Anita Byer
Before closing the book on this year’s Cybersecurity Awareness Month, it is important for businesses to recognize the expanding scope and severity of cyberattacks and the consequences for failing to implement and maintain adequate cybersecurity measures. According to Aon’s 2025 Global Risk Management Survey, most organizations identified cyberattacks and data breaches as the top current risk and top future risk they face. The fact that the FBI reported over $2.7 billion in losses in 2024 from business email compromise attacks alone seems to justify their concerns.
Despite the near universal acknowledgment of cyber threats, Moody’s 2025 Cyber Survey (10/1/2025) reveals less than universal adoption of adequate cybersecurity measures, particularly when it comes to the use of artificial intelligence.
AI Governance Policies. The survey found that large numbers of organizations lack rules governing the safe use of AI tools in the workplace. While a majority of respondents have policies restricting the use of internal and proprietary data with public AI tools, nearly a quarter of respondents have no such policies in place. According to Moody’s, insufficient AI governance can increase the likelihood of data breaches, regulatory penalties, and loss of competitive advantage.
Growing risk from third-party (vendor) software. The use of third-party software, systems, and applications for operational purposes often creates vulnerabilities that can be leveraged to gain unauthorized access. According to Moody’s, third-party software increases the attack surface by providing more entry points for hackers to exploit. Bad actors tend to favor supply chain attacks because compromising a third-party vendor allows them to also attack the vendor’s customers, clients, and end users. However, despite the growing risks associated with third-party software, only 49 percent of respondents annually reviewed their vendors’ cybersecurity risk practices. Although twenty-two percent perform such reviews every few years, a startling fourteen percent of respondents have never reviewed their vendors’ cybersecurity practices.
Adoption of multi-factor authentication (MFA) is lagging. Despite the proven effectiveness of multi-factor authentication, nearly 25 percent of respondents fail to implement and enforce a mandatory MFA policy for all applications.
Ransomware defenses are patchy. Moody’s notes that ransomware attacks are increasing in frequency, severity, and sophistication. Bad actors have evolved from basic data encryption to include double and triple extortion ransomware attacks. In addition to encrypting sensitive data, double-extortion attacks also involve the exfiltration of data, which can then be released or sold by bad actors if the target is reluctant to pay. In triple extortion attacks, bad actors threaten to attack the target’s customers, partners, or employees, or launch Distributed Denial of Service (DDoS) attack to encourage payment.
Although daily data backups can provide an effective safeguard against ransomware attacks, the survey found that nearly a quarter of the respondents do not scan their backup data for malware or other vulnerabilities. The failure to do so may leave businesses at the mercy of ransomware attackers, which is far from ideal.
Cyber managers increasingly report to CEOs and CFOs. The survey revealed that more senior cyber managers are reporting to chief executives than before. In 2023, only 15 percent of respondents reported to the CEO or CFO. In 2025, the percentage increased to 28 percent. Many, including Moody’s, view this as a positive development.
Small and medium-sized businesses should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.