Cyberattacks and risk management were analyzed in a recent InformationWeek report. When asked, 18% of respondents report cyberattacks threatened or disrupted their business. Severe weather or natural disaster (15%) and internal failure or failure of an internal system (12%) were also high on the list.

The research shows that 39% of respondents allocate less than 10% of their annual IT budget to cybersecurity. The investment is split between defense (70%), such as technologies and talent expenditures, and rebound (30%), like business continuity, disaster recovery, data backups, cyber insurance and ransom money.

More than half of respondents (51%) said their companies did not experience a significant disruption of any kind. It’s unclear what percentage of respondents may have been lucky and what percentage benefited from as end-user training (62%); identity and access management (58%); encryption (58%); endpoint detection and response (57%) and physical security controls (54%).

Nearly one quarter (23%) of companies surveyed have either never conducted tests or are unsure if their teams have tested with tabletop exercises or other measures. Backups top the list of tools and procedures used by respondents (69%). Half of respondents (50%) report they include misconfigurations in their cyber resilience plans, and 43% include planning for severe weather events.

Nearly half of companies (46%) reported carrying cyber liability insurance either as a standalone policy or as a rider on a larger business insurance policy. Of those with cyber insurance, 84% believe the protection is worth the expense.

Read the full report here.