Nearly three-quarters (73%) of firms face major shortcomings in cyber security readiness, according to a newly released study by specialist insurer Hiscox.
The Hiscox Cyber Readiness Report 2018, which gauges how prepared businesses are to manage cyber threats, surveyed department managers, IT specialists and key professionals at more than 4,100 small to large companies in the US, UK, Germany, Spain and the Netherlands. It assessed and ranked each organization according to its cyber security strategy and the quality of its execution. The US topped the list in cyber expertise, with 13 percent ranking as ‘cyber experts’ compared to 11 percent of global respondents. Almost half (45%) of businesses surveyed globally reported at least one cyber attack in the past year; two-thirds of those targeted suffered two or more attacks.
Some key findings of more than 1,000 companies surveyed in the U.S.:
- Cyber threat ranks as a top risk: While many firms may lack adequate defenses, two-thirds of respondents (69%) rank the threat of a cyber-attack alongside fraud as a top risk to their businesses.
- Cyber security spending on the rise: As firms increasingly recognize the dangerous impact of a cyber attack, it necessitates the demand for protective and preventive resources. Almost 60 percent of survey respondents believe their overall cyber security spending budget will increase by five percent or more. The average IT budget of survey respondents in the US is $11.65 million, with 10.6 percent being devoted to cyber security.
- Employee training works: Of the organizations making an investment in cyber security efforts, 54 percent indicated that employee training helped reduce the number of cyber hacks and incidents. Furthermore, 43 percent of US companies reported conducting cyber security exercises, such as phishing experiments, to understand employee behavior and readiness for an attack.
- Costs range up to $25 million: Among the largest organizations (more than 1,000 employees), the average cost of cybercrime, aggregating all incidents over the past year, was $1.05 million. Some of these larger organizations faced even higher costs than the average of up to $25 million annually.
- Small businesses behind the cyber insurance curve: Despite an increase in spending across the board, there is a stark difference between how small and large businesses view cyber insurance. Fifty-eight percent of US companies with more than 250 employees have cyber insurance, while only 21 percent of US companies with fewer than 250 employees can say the same. In addition, more than half (52%) of US small businesses say they have no intention of securing cyber insurance, while only 9% of their larger counterparts say the same.
“As threats become more advanced and sophisticated, cyber readiness is no longer a ‘nice to have’ but a ‘must have’ for businesses of all sizes,” said Dan Burke, vice president and cyber product head for Hiscox in the US. “There needs to be a dedicated investment, and not just a financial one, in order prevent, detect and mitigate cyber attacks. Beyond the allocation of funds, an organization must focus on its people, its thinking and its processes, in order to become a cyber expert.”
Becoming a Cyber Expert
To determine a firm’s cyber readiness, in a module proprietary to Hiscox, organizations in the five countries surveyed had to achieve a minimum score of 4.0/5 in four metrics to qualify as cyber experts. Here are the top factors that divide the cyber experts from the cyber novices globally:
- Strategy: Nine-out-of-ten cyber experts globally (89%) have a clearly defined cyber security strategy compared to nearly half (49%) of cyber novices. Cyber experts are likely to have put a formal budgeting process in place, which is integrated into all security projects and activities.
- Engagement: Cyber experts get support from the senior leaders and engage a broader range of stakeholders when setting their organization’s cyber security strategy. Experts are more than twice as likely to agree that ‘there is formal support for cyber security from business leaders and executives on an ongoing basis’ (86% versus 38% for cyber novices).
- Organizational leadership: Just over half (52%) of all cyber experts globally have a dedicated leader or executive responsible for cyber security and 46% say they have a dedicated team to support that leader. By comparison, cyber novices are roughly half as prepared in this way as the experts.
- Training and evaluation: Ninety percent of all cyber experts review the cyber security competence of their people on a regular basis, using established metrics. And cyber security competence forms have become a part of regular performance evaluations.
- Willingness to respond: The cyber experts elevate themselves above the cyber novices by their readiness to make changes in response to a cyber security incident. Nearly three-quarters (72%) of those who experienced an incident in the past year increased their security measures, whereas more than half of those organizations classified as cyber novices (51%) failed to act.
- Investment: The expert organizations devote a greater proportion of their IT budget to cyber than the novices. Furthermore, far more experts intend to increase their spending across every area in the coming 12 months, from staffing, training and technology to outsourcing and consultancy.
- Insurance: Based on all respondents globally, 60 percent of the cyber experts have taken out cyber insurance, and 31 percent plan to do so in the future. By contrast, barely a quarter (26%) of the cyber novices say they have cyber cover – though a further quarter (24%) plan to take out cover in the next 12 months.
A full copy of The Hiscox Cyber Readiness Report 2018 can be accessed at www.hiscox.com/cybersecurity.