“Cyber readiness levels stall as attacks reach new heights of intensity” finds Hiscox study

A sharp increase in the number and cost of cyber attacks is the key finding in a study of more than 5,400 organisations across seven countries commissioned by commercial insurer Hiscox. More than three out of every five firms (ie 61%) report one or more attacks in the past year, yet the proportion achieving top scores for their cyber security readiness is marginally down year-on-year.

The Hiscox Cyber Readiness Report 2019 surveyed a representative sample of private and public sector organisations in the the UK, the US, Belgium, France, Germany, Spain and the Netherlands. Each firm was assessed on its cyber security strategy and execution and then ranked accordingly. Only 10% achieved high enough marks in both areas to qualify as cyber security ‘experts’.

Among the key findings of the study are the following:

Cyber attacks reach a new intensity As stated, more than three in every five firms (61%) experienced a cyber incident in the past year. This is up from 45% in the 2018 report. The frequency of attacks also increased. Belgian firms were the most heavily targeted

More SMEs were attacked this year While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms (defined as those with less than 50 employees) reporting an incident is up from 33% to 47%. Among medium-sized firms (50 to 249 employees) the proportion has leapt from 36% to 63%

Cyber losses soar Among firms reporting attacks, average losses associated with all cyber incidents have risen from $229,000 last year to $369,000. That’s an increase of 61%. For large firms with between 250 and 999 employees, cyber-related losses now top $700,000 on average compared with $162,000 a year ago. German firms suffered the most, with one reporting a cost for all incidents of $48 million

More firms fail cyber readiness test Using a quantitative model to assess firms for their cyber readiness, only one-in-ten (10%) achieved ‘expert’ status this year, which is slightly down from 11% in 2018. Nearly three-quarters (74%) were ranked as unprepared ‘novices’. There was a sharp drop in the number of larger US and German firms achieving ‘expert’ scores

Cyber security spending up by a quarter The average spend on cyber security is now $1.45 million (up 24% on 2018), while the pace of spending is accelerating. The total spend by the 5,400 firms questioned in the survey comes to $7.9 billion. Two-thirds of respondents (67%) plan to increase their cyber security budgets by 5% or more in the year ahead

Gareth Wharton, Hiscox’s cyber CEO, commented: This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber attacks in the past 12 months. Where hackers formerly focused on larger companies, SMEs now look equally vulnerable. The cyber threat has become the unavoidable cost of doing business today. The one positive is that we see more firms taking a structured approach towards the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.”

The study also shows the following:

Wide disparity in readiness scores Overall, US, German and Belgian firms score highest on the cyber readiness model, while more than four-fifths of French firms (81%) are in the ‘novice’ category. Along with the Netherlands, France (at 9%) has the smallest proportion of large and enterprise firms that rank as ‘experts’

Cost figures skewed by large incidents Among firms that were targeted by hackers, there has been a sharp rise in the cost of the biggest single incident reported in the past year. The mean cost has jumped from $34,000 to a fraction under $200,000

Supply chain incidents commonplace Nearly two-thirds of firms (65%) have experienced cyber-related issues in their supply chain in the past year. Worst affected are technology, media and telecoms and transport firms. The majority of firms (54%) now evaluate the security of their supply chains at least once a quarter or on an ad hoc basis

Reasons to be optimistic The proportion of firms with no defined role for cyber security has halved in the past year – from 32% to 16% – and there has been a marked fall in the number of respondents saying they changed nothing following a cyber incident (from 47% to 32%). New regulation has also prompted action, with 84% of continental European firms saying they’ve made changes following the advent of the EU’s General Data Protection Regulation. The figure for UK firms is 80%

Rising uptake of cyber insurance More than two out of every five firms (41%) say they’ve taken out cyber cover in the past year (which is up from 33% in 2018). A further 30% plan to take out cover in the year ahead. More than half of larger firms now have cover, but only 27% of small firms are covered by insurance

Marie Clutterbuck, CMO of independent data recovery specialist Tectrade, stated: One of the key findings from this research is that businesses ‘incorrectly felt they were not at risk’, meaning they may be less likely to invest in cyber security. While it’s unrealistic to expect SMEs to invest heavily to mitigate against every possible threat, there are sensible precautions that every organisation should be implementing. First and foremost, we recommend the implementation and regular testing of a back-up and recovery system so that systems can quickly be recovered as and when necessary. From a cyber security standpoint, this is a very effective protection against ransomware, which is one of the most common issues being encountered by UK SMEs. From a wider perspective, it also protects the business against a large number of traditional non-cyber threats such as flood, fire and theft.”

*Read the study results in full at https://www.hiscox.co.uk/cyberreadiness

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts