More than three in every five firms (61pc) experienced a cyber incident in the past year, up from 45pc in the 2018 report. The frequency of attacks also increased, according to a report by an insurance company.
While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms (defined as those with less than 50 employees) reporting an incident is up from 33pc to 47pc, says the Hiscox Cyber Readiness Report 2019. Among medium-sized firms (50 to 249 employees) the proportion has leapt from 36pc to 63pc. Among firms reporting attacks, average losses associated with all cyber incidents have risen from $229,000 last year to $369,000 – an increase of 61pc. For large firms with between 250 and 999 employees cyber-related losses now top $700,000 on average compared with $162,000 a year ago. German firms suffered the most, with one reporting a cost for all incidents of $48 million.
Using a quantitative model to assess firms for their cyber readiness, only one in ten (10pc) achieved ‘expert’ status this year, slightly down from 11pc in 2018. Nearly three-quarters (74pc) ranked as unprepared ‘novices’. There was a sharp drop in the number of larger US and German firms achieving ‘expert’ scores.
The average spend on cyber security is now $1.45 million, up 24pc on 2018, and the pace of spending is accelerating. The total spend by the 5,400 firms in the survey comes to $7.9 billion. Two-thirds of respondents (67pc) plan to increase their cyber security budgets by 5pc or more in the year ahead.
Gareth Wharton, Hiscox Cyber CEO, said: ‘This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable. The cyber threat has become the unavoidable cost of doing business today. The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.’
Overall, US, German and Belgian firms score highest on the cyber readiness model, while more than four-fifths of French firms (81pc) are in the ‘novice’ category. Along with the Netherlands, France has the smallest proportion of large and enterprise firms that rank as ‘experts’, at 9pc. Among firms that were targeted by hackers, there has been a sharp rise in the cost of the biggest single incident reported in the past year. The mean cost has jumped from $34,000 to a fraction under $200,000.
Nearly two-thirds of firms (65pc) have experienced cyber-related issues in their supply chain in the past year. Worst affected are technology, media and telecoms (TMT) and transport firms. The majority of firms (54pc) now evaluate the security of their supply chains at least once a quarter or on an ad hoc basis.
On the optimistic side, the proportion of firms with no defined role for cyber security has halved in the past year – from 32pc to 16pc – and there has been a marked fall in the number of respondents saying they changed nothing following a cyber incident (from 47pc to 32pc). New regulation has also prompted action, with 84pc of Continental European firms saying they have made changes under the General Data Protection Regulation (GDPR). The figure for UK firms is 80pc.
More than two out of five firms (41pc) say they have taken out cyber cover in the past year (up from 33pc in 2018). A further 30pc plan to take out cover in the year ahead. More than half of larger firms now have cover but only 27pc of small firms.
Comment
David Emm, principal security researcher at cyber product firm Kaspersky Lab UK, said: “This news demonstrates that businesses are at huge threat from cyber-criminals, and acts as a stark warning to enterprises of all sizes, regardless of what sector they operate in. There is still ignorance from many companies towards cybersecurity, with an attitude of ‘it won’t happen to us’, but the exact opposite is true – the threat is real, and growing ever more real. Indeed, Kaspersky Lab research indicates that UK firms are among the most vulnerable in Europe, and that such attacks are becoming ever more sophisticated and regular. Cybercriminals will never stop trying to access sensitive data, including payment information and corporate secrets. A breach can cripple, or even potentially close, a business, leading to job losses and financial ruin.
“Businesses should take a step back and re-evaluate their IT security strategy, ensuring there is a full lifecycle security plan in place, including: education for businesses and their employees, the best tools to protect against attacks, and the most reliable tools for zero-day detection.”
