A study of 3,000 companies in the UK, US and Germany, conducted for specialist insurer Hiscox, reveals that more than half (53 per cent) of businesses in the three countries have ill-prepared security to deal with cyber-attacks.
The Hiscox Cyber Readiness Report 2017 assesses firms according to their readiness in four key areas – strategy, resourcing, technology and process – and ranks them accordingly. While most companies scored well for technology, fewer than a third (30 per cent) qualify as ‘expert’ in their overall cyber readiness.
US firms come out on top
Nearly half of the top-ranked companies or ‘cyber experts’ (49 per cent) are US-based, with a heavy weighting to multinationals and other large organisations. Larger US firms are also targeted more often than others with 72 per cent experiencing an attack in the past 12 months and nearly half (47 per cent) of all US firms experiencing two or more. More than half (55 per cent) say they have cyber insurance.
UK firms targeted less, but are slow to respond
UK firms are least likely to have experienced a cyber-attack in the past year (45 per cent). But more than a third (35 per cent) say they have changed nothing following a cyber security incident.
German firms lag
German companies make up the biggest group of bottom-ranked firms or ‘cyber novices’ (39 per cent of the total). Only 43 per cent of German companies believe their government is doing enough to protect them from cyber attack (compared with 62 per cent in the US and 48 per cent in the UK). German firms are also least likely to have cyber insurance (30 per cent).
Momentum builds behind cyber insurance
Overall, 40 per cent of firms say they have taken out cyber insurance, a higher figure than generally quoted elsewhere. The figure is highest in the US, at 55 per cent, while nearly two-thirds (64 per cent) of the ‘expert’ companies say they are insured for cyber risks.
These higher than expected take-up figures may also reflect confusion over what exactly constitutes cyber insurance cover with some companies believing they are protected under their existing insurance coverage.
Steve Langan, chief executive, Hiscox Insurance, comments, ‘With fewer than a third (30 per cent) of businesses qualified as ‘expert’, our study reveals a worrying absence of cyber security readiness among business consumers.
‘By surveying those directly involved in the business battle against cyber crime, this study provides new perspective on the challenges they face and the steps they are taking to protect themselves. But it also offers a series of practical recommendations for those businesses that still have work to do in tackling cyber risk. We hope it will contribute to a better understanding of what is needed to be fully cyber ready.’
Incidence of attacks is high
More than half (57 per cent) of firms have experienced a cyber-attack in the past year and two in five (42 per cent) have had to deal with two or more.
Larger companies are targeted most often. Nearly half (46 per cent) of businesses took two days or more to get back to business as usual. That said, the time taken to complete an investigation and any remedial work could take longer.
Costs range to over £500,000 per incident
The average cost of the largest cyber security incident experienced in the past 12 months ranges between €22,000 for the very smallest German companies to $102,000 for the largest US companies.
Several firms report individual incidents costing £500,000-plus. These figures only consider the direct costs of an incident – the impact on business reputation and customer confidence can be much greater.
Cyber security spending is rising fast
The majority of cyber security budgets (59 per cent) are set to increase by 5 per cent or more over the coming 12 months while one in five firms (21 per cent) will lift spending by a double-digit amount.
Attacks prompt more spending on technology. Around a quarter of firms that experienced a cyber-attack responded by increasing their spending on prevention or detection technologies (24 per cent and 23 per cent respectively).
Smaller firms hit hardest
While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies.
Small businesses also appear more complacent than their larger counterparts, with 29 per cent saying they changed nothing following a cyber security incident (compared with 20 per cent of larger firms). Smaller firms are also more reluctant to adopt key cyber security initiatives.
Board members are behind the curve
Directors and executives scored less well in the survey rankings than respondents involved in IT or finance, suggesting more needs to be done to raise awareness of cyber issues among top management.
The way forward – steps for improving cyber readiness
The study draws on the example of the ‘expert’ companies to construct a blueprint for cyber readiness. There are six areas highlighted in the report where firms should focus their efforts to make up ground – including more employee training, the tightening up of technology and the transfer of risk by way of cyber insurance.