Hiscox: Cyber security readiness study finds widespread shortcomings
International study of 3,000 businesses shows widespread variations in cyber security readiness
A study of 3,000 companies in the UK, US and Germany, conducted for specialist insurer Hiscox, reveals that more than half (53%) of businesses in the three countries are ill-prepared to deal with cyber-attacks. The Hiscox Cyber Readiness Report 2017 assessed firms according to their readiness in four key areas – strategy, resourcing, technology and process – and ranked them accordingly. While most companies scored well for technology, fewer than a third (30%) qualified as ‘expert’ in their overall cyber readiness.
Among the key findings:
- US firms come top: Nearly half of the top-ranked companies or ‘cyber experts’ (49%) are US-based, with a heavy weighting to multinationals and other large organisations. Larger US firms are also targeted more often than others with 72% experiencing an attack in the past 12 months and nearly half (47%) of all US firms experiencing two or more. More than half (55%) say they have cyber insurance.
- German firms lag: German companies make up the biggest group of bottom-ranked firms or ‘cyber novices’ (39% of the total). Only 43% of German companies believe their government is doing enough to protect them from cyber attack (compared with 62% in the US and 48% in the UK). German firms are also least likely to have cyber insurance (30%).
- UK firms targeted less, but are slow to respond: UK firms are least likely to have experienced a cyber-attack in the past year (45%). But more than a third (35%) say they have changed nothing following a cyber security incident.
- Momentum builds behind cyber insurance: Overall, 40% of firms say they have taken out cyber insurance, a higher figure than generally quoted elsewhere. The figure is highest in the US, at 55%, while nearly two-thirds (64%) of the ‘expert’ companies say they are insured for cyber risks. These higher than expected take-up figures may also reflect confusion over what exactly constitutes cyber insurance cover with some companies believing they are protected under their existing insurance coverage.
Steve Langan, Chief Executive, Hiscox Insurance, commented: “With fewer than a third (30%) of businesses qualified as ‘expert’, our study reveals a worrying absence of cyber security readiness among business consumers.
“By surveying those directly involved in the business battle against cyber crime, this study provides new perspective on the challenges they face and the steps they are taking to protect themselves. But it also offers a series of practical recommendations for those businesses that still have work to do in tackling cyber risk. We hope it will contribute to a better understanding of what is needed to be fully cyber ready.”
Other findings in the report include:
- Incidence of attacks is high: More than half (57%) of firms have experienced a cyber-attack in the past year and two in five (42%) have had to deal with two or more. Larger companies are targeted most often. Nearly half (46%) of businesses took two days or more to get back to business as usual. That said, the time taken to complete an investigation and any remedial work could take longer.
- Costs range to over £500,000 per incident: The average cost of the largest cyber security incident experienced in the past 12 months ranges between €22,000 for the very smallest German companies to $102,000 for the largest US companies. Several firms report individual incidents costing £500,000-plus. These figures only consider the direct costs of an incident – the impact on business reputation and customer confidence can be much greater.
- Cyber security spending is rising fast. The majority of cyber security budgets (59%) are set to increase by 5% or more over the coming 12 months while one in five firms (21%) will lift spending by a double-digit amount. Attacks prompt more spending on technology. Around a quarter of firms that experienced a cyber-attack responded by increasing their spending on prevention or detection technologies (24% and 23% respectively).
- Smaller firms hit hardest: While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts, with 29% saying they changed nothing following a cyber security incident (compared with 20% of larger firms). Smaller firms are also more reluctant to adopt key cyber security initiatives.
- Board members are behind the curve: Directors and executives scored less well in the survey rankings than respondents involved in IT or finance, suggesting more needs to be done to raise awareness of cyber issues among top management.
The way forward - steps for improving cyber readiness
The study draws on the example of the ‘expert’ companies to construct a blueprint for cyber readiness. There are six areas highlighted in the report where firms should focus their efforts to make up ground – including more employee training, the tightening up of technology and the transfer of risk by way of cyber insurance.