There are major shortcomings in cyber security readiness at nearly three-quarters (73pc) of firms, according to a study of more than 4,000 organisations across five countries, commissioned by a specialist London-based insurer.
The Hiscox Cyber Readiness Report 2018 surveyed a representative sample of private and public sector bodies in the UK, US, Germany, Spain and the Netherlands. It assessed each according to their cyber security strategy and the quality of its execution – and ranked them accordingly. Only 11pc scored highly enough in both areas to qualify as cyber security ‘experts’. One in six firms (16pc) achieved expert status in either strategy or execution, but not both.
Larger organisations in the study (those with 250-plus employees) are better prepared, it’s suggested. One in five (21pc) rank as cyber security experts and a further 17pc pass the expert test in either strategy or execution. Just 7pc of smaller organisations (250 or fewer employees) make the grade as experts.
The average organisation in the report spends $11.2m a year on IT and devotes 10.5pc of it to cyber security. However, the organisations that rank as cyber experts spend twice as much on IT as those that failed the test ($19.8m on average versus $9.9m) and devote a higher proportion to cyber security (12.6pc versus 9.9pc). Smaller firms lack resources, directing on average 9.8pc of their IT budget to cyber security compared with 12.2pc for larger organisations.
Nearly three out of five respondents (59pc) plan to increase their cyber security budgets in the year ahead. New technology tops the shopping list despite this being the area where the bulk of firms appear best prepared. The experts lead the way: for example, more than half (55pc) plan to increase spending on awareness training compared with only 29pc of organisations that failed the cyber readiness test.
Nearing half (45pc) of the organisations surveyed report at least one cyber attack in the past year. Two-thirds of those targeted suffered two or more attacks. Financial services, energy, telecoms and government entities were the prime targets. Among organisations that were targeted in the past year, the average cost of all incidents was $229,000. For organisations with 1,000-plus employees, the average costs ranged between $356,000 in Spain and $1.05m in the US. Individual organisations faced still higher costs – up to $20m in the UK and Germany and $25m in the US.
Steve Langan, Chief Executive of Hiscox Insurance Company, said: “This report shines a light not only on the financial consequences of cyber incidents but also on the enormous investment being made to counter the threat. Importantly, it offers a picture of what best practice looks like. Often the answer is not ‘more technology’ but proactive thinking, more rigorous processes and better trained staff. We hope it will serve as a roadmap for all those organisations that still have some way to go.”
While many firms may lack adequate defences, two-thirds of respondents (66pc) rank the cyber threat alongside fraud as a top risk to their business. The insurance firm suggests 2018 could be a watershed year for cyber insurance, as the EU’s General Data Protection Regulation (GDPR) comes into force in May, with penalties for the loss of personal data. The report shows that one-third (33pc) of respondents currently have standalone cyber cover while a further quarter (25pc) say they plan to take out cover in the coming year. Financial services firms are most likely to report being covered (48pc).
Comments
Peter Carlisle, VP EMEA, Thales eSecurity, said: “What we can see from these results is a clear demonstration of the very real concerns facing businesses, their customers and governments; particularly given the recent proliferation of data breaches and cyberattacks. There can be no doubt that the series of mega breaches and cyberattacks over the course of the last year has increased companies’ urgency to improve their security posture. Corporations are investing millions to secure their critical data and intellectual property but despite this, attackers are still able to breach their infrastructure and steal valuable data. Businesses need to invest in robust privacy-by-design defence mechanisms – such as encryption – to protect valuable intellectual property and data.
“And, whilst ensuring that cyber and data security is at the forefront of the day-to-day agenda, it is hugely important to ensure that staff are properly trained with the necessary cyber skills.”
And Dr Anton Grashion, manager – security practice at cyber product firm Cylance, said: “Although it was a relatively small data set from which to assess the security expertise of a territory, some of the problem boils down to increasing complexity both in threat landscape and the complexity of building the countermeasures. Using the example of the NHS and WannaCry; if the malware had been stopped before it detonated, much of the knock on effect would have been avoided. That’s not to argue against basic IT practices of keeping patches up to date (where available), but by preventing rather than reacting. The complexity of being expert enough to chase threats into the organisation if they have not been prevented is also exacerbated by the growing cyber skills shortage.”
