Marsh & McLennan (MMC) warns cyber risk management should involve all employees, “from the boardroom to the back room”, as threats change with technological advances.

“Cyber is a risk issue, not an IT issue, and managing it effectively requires broad cross-functional engagement, yet research shows few companies have made this mindset shift,” Global Risk and Specialties President John Drzik says in the MMC Cyber Handbook.

Even fewer companies have made a concerted effort to identify cyber scenarios that could affect them, assess the risk of their suppliers and customers, and build prevention and response plans, he says.

The cost of data breaches is expected to reach $US2.1 trillion ($2.8 trillion) worldwide by 2019, almost four times the estimated cost last year.

Total cyber risk premiums have reached $US2 billion ($2.6 billion) and may climb to $US20 billion ($27 billion) by 2025, according to the handbook.

Claus Herbolzheimer, a Berlin-based partner at MMC consultancy Oliver Wyman, says companies are pursuing a range of strategies, with some radically simplifying their technical systems to limit points where hackers can enter and hide.

Healthcare providers and hospitals in the US and Germany are taking critical systems partially offline where connectedness is not needed.

Marsh’s UK and Ireland CEO Mark Weil says last year 90% of large UK organisations reported breaches, and governments are recognising the economic threat cyber attack pose.

“Cyber criminals are the hidden enemy, operating behind the scenes and inside our organisations and our devices, and incredibly difficult to detect, take down and punish,” he says.

“Losing is potentially catastrophic and ultimately avoidable. Winning will enable us to preserve our society and our way of life.”