A study of 3,000 companies in the UK, U.S. and Germany, reveals that more than half (53 percent) of businesses in the three countries are ill-prepared to deal with cyber attacks. Fewer than one-third (30 percent) qualify as “expert” in overall cyber readiness.
The survey, conducted for specialist insurer Hiscox, assessed firms according to their readiness in four key areas – strategy, resourcing, technology and process – and ranked them accordingly. U.S. based firms do better than companies from the EU and Germany– but they are also targeted more often by cyber attacks.
The Hiscox Cyber Readiness Report 2017 indicates that while large firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. It also finds cyber security budgets are growing.
The survey suggests that momentum is building behind cyber insurance. Overall, 40 percent of firms say they have taken out cyber insurance, a higher figure than generally quoted elsewhere. The figure is highest in the U.S., at 55 percent, while nearly two-thirds (64 percent) of the “expert” companies say they are insured for cyber risks.
Hiscox analysts say these higher than expected take-up figures may also reflect confusion over what exactly constitutes cyber insurance cover with some companies believing they are protected under their existing insurance coverage.
Among the firms that have not bought cyber cover – 26 percent of the survey sample – and do not plan to do so, two in five (41 percent) of them say “a cyber insurance policy is not relevant for me.” The figure is particularly high in the UK, at 45 percent, and among members of the construction industry (at 53 percent). More than one in six (17 percent) of those that have no plans to take out cyber insurance agree with the statement: “Cyber insurance policies are so complicated – I don’t understand what cyber insurance would cover me for.”
“With fewer than a third of businesses qualified as ‘expert,’ our study reveals a worrying absence of cyber security readiness among business consumers,” said Steve Langan, chief executive, Hiscox Insurance, which sells cyber insurance.
The study provides perspective on the challenges businesses face and the steps they are taking to protect themselves and also offers a series of practical recommendations for those businesses that still have work to do in tackling cyber risk.
“One part of the solution, adopted by an increasing number of organizations, is to transfer the cyber risk to an insurer. The report shows that while a large number of firms have already gone down this route, and many more are preparing to follow, the insurance industry still has a job to do in instilling trust in its policies, delivering clarity over what they cover and simplifying the way they are written,” Langan advises in his introduction to the report.
The industries surveyed by Hiscox run the gamut from technology and financial services to construction and healthcare. Thirty-three percent are based in the UK, the same percentage in Germany while 34 percent in the U.S. Respondents were C-suite level executives (20 percent), vice presidents (12 percent), directors (27 percent) and managers (40 percent). Businesses ranged in size from one-to-nine employees (18 percent) to more than 20,000 employees (2 percent), with 52 percent falling in the 20 to 249 employee range.
The study draws on the example of the “expert” companies to construct a blueprint for cyber readiness. There are six areas highlighted in the report where firms should focus their efforts to make up ground – including more employee training, the tightening up of technology and the transfer of risk by way of cyber insurance.
Among the findings of the Hiscox Cyber Readiness Report 2017:
U.S. firms at top: Nearly half of the top-ranked companies or “cyber experts” (49 percent) are U.S.-based, with a heavy weighting to multinationals and other large organizations. Larger U.S. firms are also targeted more often than others with 72 percent experiencing an attack in the past 12 months and nearly half (47 percent) of all U.S. firms experiencing two or more. More than half (55 percent) say they have cyber insurance.
German firms lag: German companies make up the biggest group of bottom-ranked firms or “cyber novices” (39 percent of the total). Only 43 percent of German companies believe their government is doing enough to protect them from cyber attack (compared with 62 percent in the U.S. and 48 percent in the UK). German firms are also least likely to have cyber insurance (30%).
UK firms targeted less, but are slow to respond: UK firms are least likely to have experienced a cyber-attack in the past year (45 percent). But more than a third (35 percent) say they have changed nothing following a cyber security incident.
Incidence of attacks is high: More than half (57 percent) of firms have experienced a cyber-attack in the past year and two in five (42 percent) have had to deal with two or more. Larger companies are targeted most often. Nearly half (46 percent) of businesses took two days or more to get back to business as usual. That said, the time taken to complete an investigation and any remedial work could take longer.
Costs range to over £500,000 per incident: The average cost of the largest cyber security incident experienced in the past 12 months ranges between €22,000 for the very smallest German companies to $102,000 for the largest U.S. companies. Several firms report individual incidents costing £500,000-plus ($619,450). These figures only consider the direct costs of an incident – the impact on business reputation and customer confidence can be much greater.
Cyber security spending is rising fast: The majority of cyber security budgets (59 percent) are set to increase by five percent or more over the coming 12 months while one in five firms (21 percent) will lift spending by a double-digit amount. Attacks prompt more spending on technology. Around a quarter of firms that experienced a cyber-attack responded by increasing their spending on prevention or detection technologies (24 percent and 23 percent respectively).
Smaller firms hit hardest: While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts, with 29 percent saying they changed nothing following a cyber security incident (compared with 20 percent of larger firms). Smaller firms are also more reluctant to adopt key cyber security initiatives.
Board members are behind the curve: Directors and executives scored less well in the survey rankings than respondents involved in IT or finance, suggesting more needs to be done to raise awareness of cyber issues among top management.