Many businesses are ill-prepared to deal with cyber-attacks, according to an insurance company after a survey.
A study of 3,000 companies in the UK, US and Germany, for the insurer Hiscox, suggested that more than half (53pc) of businesses in the the UK, US and Germany are ill-prepared to deal with cyber-attacks. The Hiscox Cyber Readiness Report 2017 assessed firms according to their readiness in four areas – strategy, resourcing, technology and process – and ranked them. While most companies scored well for technology, fewer than a third (30pc) qualified as ‘expert’ in their overall cyber readiness. Among the findings:
US firms top
Nearly half of the top-ranked companies or ‘cyber experts’ (49pc) are US-based, with a heavy weighting to multinationals and other large organisations. Larger US firms are also targeted more often than others with 72pc experiencing an attack in the past 12 months and nearly half (47pc) of all US firms experiencing two or more. More than half (55pc) say they have cyber insurance.
German firms lag
German companies make up the biggest group of bottom-ranked firms or ‘cyber novices’ (39pc of the total). Only 43pc of German companies believe their government is doing enough to protect them from cyber attack (compared with 62pc in the US and 48pc in the UK). German firms are also least likely to have cyber insurance (30pc).
UK firms
UK firms are least likely to have experienced a cyber-attack in the past year (45pc). But more than a third (35pc) say they have changed nothing after a cyber security incident.
Cyber insurance
Overall, 40pc of firms say they have taken out cyber insurance, a higher figure than generally quoted elsewhere. The figure is highest in the US, at 55pc, while nearly two-thirds (64pc) of the ‘expert’ companies say they are insured for cyber risks. These higher than expected take-up figures may also reflect confusion over what exactly constitutes cyber insurance cover with some companies believing they are protected under their insurance coverage.
What they say
Steve Langan, Chief Executive, Hiscox Insurance, said: “With fewer than a third (30pc) of businesses qualified as ‘expert’, our study reveals a worrying absence of cyber security readiness among business consumers. By surveying those directly involved in the business battle against cyber crime, this study provides new perspective on the challenges they face and the steps they are taking to protect themselves. But it also offers a series of practical recommendations for those businesses that still have work to do in tackling cyber risk. We hope it will contribute to a better understanding of what is needed to be fully cyber ready.”
The report also found:
Incidence of attacks
More than half (57pc) of firms have experienced a cyber-attack in the past year and two in five (42pc) have had to deal with two or more. Larger companies are targeted most often. Nearly half (46pc) of businesses took two days or more to get back to business as usual. That said, the time taken to complete an investigation and any remedial work could take longer.
Costs
The average cost of the largest cyber security incident experienced in the past 12 months ranges between €22,000 for the very smallest German companies to $102,000 for the largest US companies. Several firms report individual incidents costing £500,000-plus. These figures only consider the direct costs of an incident – the impact on business reputation and customer confidence can be much greater.
Cyber spending
The majority of cyber security budgets (59pc) are set to increase by 5pc or more over the coming 12 months while one in five firms (21pc) will lift spending by a double-digit amount. Attacks prompt more spending on technology. Around a quarter of firms that experienced a cyber-attack responded by increasing their spending on prevention or detection technologies (24pc and 23pc respectively).
Smaller firms
While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts, with 29pc saying they changed nothing following a cyber security incident (compared with 20pc of larger firms). Smaller firms are also more reluctant to adopt key cyber security initiatives.
Board members
Directors and executives scored less well in the survey rankings than respondents involved in IT or finance, suggesting more needs to be done to raise awareness of cyber issues among top management.
Comments
John Madelin, CEO at the cyber firm RelianceACSN said: “While it’s nice to see companies taking cyber security seriously, throwing money at software won’t solve the problem. Companies already spend huge amounts on security tools, with the average firm deploying 75 different cyber defence systems to police their networks. The problem is that these tools often operate in silos, creating a sort of patchwork quilt that still leaves companies exposed. What’s needed is an integrated, end-to-end approach to security, that focuses on protecting a company’s most critical data, IP and assets. Cyber security can’t just fall under the remit of one department – everybody that has access to the network must be properly trained. Investing in staffing is smart, but with a severe skills gap in cybersecurity finding the right staff may prove tricky.”
Steven Malone, Director of Security Product Management at email security product firm Mimecast, said: “Whilst cyber insurance can offer a safety net, the rapidly evolving threat landscape means that policies are continuously at risk of becoming outdated. Readiness is important but an active cyber resilience stance means being prepared to deal with unknown attacks as they occur while maintaining business continuity. It’s crucial that businesses explore how their policies protect against email attacks such as CEO fraud and ransomware, alongside regular employee training to help spot today’s threats.”
Rob Norris, VP Head of Enterprise and Cyber Security EMEIA at IT firm Fujitsu said: “The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access and exploit their data. Organisations should focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber criminals. There must also be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication. With the new EU GDPR legislation coming into effect next year, it’s vital for organisations to take a proactive approach when it comes to cyber security. Ensuring a compliant business environment, that will help protect the company and its employees, needs to be the number one priority.”
And Darren Anstee, Chief Security Technologist at Arbor Networks, said: “As Hiscox reported, the impacts of a successful attack are multi-dimensional, with some costs being immediate and some more long lived. Our latest research found that brand damage was the most commonly cited impact of a DDoS attack, beating out even operational expense. While this is not a good thing in and of itself, we are seeing increasing proportion of organisations factoring cyber threats into their business and IT risk assessment processes, which should lead to the right investments being made in defensive solutions and services.’
“A better understanding of the impact an attack can have is driving firms toward best-practice, and our latest research shows better detection / mitigation capabilities, faster response times and improved overall effectiveness. That said, this is an iterative process as attackers aren’t staying still. With the adoption of different technologies, such as cloud, NFV etc., new or expanded threat surfaces emerge and have to be addressed.”
