Why Most Companies Are Unprepared for a Cyberattack

I was looking around at what’s new online, and just discovered the Hiscox 2018 Cyber Readiness Report . This is the second Hiscox Cyber Readiness Report, conducted by Forrester Consulting, and puts the spotlight not only on the financial consequences of individual cyber breaches but also on the enormous cost in terms of investment made to counter the threat.

The report concludes that most companies are unprepared for cyberattacks.

And it breaks down the headlines by country:

The focus on cybercrime is something we will be covering at the Financial Services Club on March 27 when Steven Wilson, head of the Europol cybercrime unit tells us what Europe is doing to protect itself from cybercrime (you can read more on that here ). Meantime, just in case you’re thinking of reading it, here’s the summary:

Seven out of ten organisations fail the cyber readiness test

We measured organisations’ cyber security readiness according to the quality of their strategy (broken down into oversight and resourcing) and execution (processes and technology). From this we produced a cyber readiness model that divided respondents into ‘cyber novices’, ‘cyber intermediates’ and ‘cyber experts’. Nearly three-quarters of organisations (73%) fell into the novice category, suggesting they have some way to go before they are cyber-ready. Only 11% qualified as experts.

Keen awareness of the threat

While many firms lack adequate defences, most are keenly aware of the potential impact of a cyber attack. Two-thirds of respondents (66%) rank the cyber threat alongside fraud as the top risks to their business.

Larger firms show the way

The larger organisations in the sample are better prepared: more than one-in-five (21%) of those with 250 employees or more rank as experts. A further 17% qualify as intermediates. US and UK firms generally score better than the rest (13% are experts) while Dutch firms come bottom of the pile (just 7% are experts). Not surprisingly, perhaps, technology, media and telecoms organisations score highly. At the other end of the scale, professional services firms have some catching-up to do.

Smaller firms lack resources

Organisations with fewer than 250 employees devote a smaller proportion of their IT budgets to cyber (9.8% on average versus 12.2% for larger organisations). In accordance with the findings mentioned above, just 7% of smaller firms rank as cyber experts.

You get what you pay for

On average, the organisations in our sample had an IT budget of $11.2 million, of which 10.5% was devoted to cyber security. However, the cyber experts had markedly bigger IT budgets than the novices ($19.8 million on average versus $9.9 million) and devoted a higher proportion to cyber security (12.6% versus 9.9%). Some firms spent a lot more – with 37% devoting between 11% and 25% of their IT budgets to cyber. Financial services firms are the largest spenders on cyber, followed by the pharmaceuticals and healthcare sector and then government entities.

Experts more proactive

What sets the cyber experts apart from the cyber novices? Nine out of ten (89%) have a clearly defined cyber strategy, most (72%) are prepared to make changes after a breach and 97% incorporate security training and awareness throughout the workforce. Seven out of ten (72%) have conducted phishing experiments to gauge employee preparedness and three out of five (60%) say they have cyber insurance.

Evens chance of being targeted

Almost half (45%) of the 4,103 organisations surveyed were hit by at least one cyber attack in the past year and two-thirds of those targeted suffered two or more attacks. Spanish organisations were the most heavily targeted (57% suffered an attack). Financial services, energy, telecoms and government organisations are prime targets for hackers.

Related: Millennials: Are You Cool or History?

Costs range up to $25 million

Taking only those organisations that were targeted, the average cost of cyber crime, aggregating all incidents, to each business over the past year was $229,000. But the average masks some wide variations. For the largest organisations in the report (those with 1,000-plus employees), the average costs ranged between $356,000 in Spain and $1.05 million in the US. Some organisations faced still higher costs – up to $25 million in the US and $20 million in Germany and the UK. For the very smallest (those with fewer than 100 employees), average costs ranged between $24,000 in Spain and $63,000 in Germany.

German firms face costliest incidents

We asked organisations to estimate the cost of their single largest incident. German firms reported the highest average figures with the highest cost for a single incident of $5m. At the other end of the scale, Spanish organisations contained the cost per incident to a maximum of $800,000.

Spending set to rise

Nearly three out of five respondents (59%) plan to increase their cyber security budgets in the year ahead. New technology tops the shopping list despite this being the area where the bulk of firms appear best prepared. The experts lead the way: for example, more than half (55%) plan to increase spending on awareness training compared with only 29% of novices.

Watershed year for cyber insurance?

The EU’s General Data Protection Regulation (GDPR) comes into force in May. With tough penalties for the loss of personal data, it is expected to provide a boost to European take-up of cyber insurance. The report shows that one-third (33%) of respondents currently have standalone cyber cover while a further quarter (25%) say they plan to take out cover in the coming year. Nearly two out of five (38%) still say they have no plans to take out cover. Most likely to be covered are financial services firms (48%). The report also reveals considerable confusion over the extent to which firms are covered for cyber incidents under their general business policies.

Background

The Hiscox Cyber Readiness Report is compiled from a survey of more than 4,100 executives, departmental heads, IT managers and other key professionals in the UK, US, Germany, Spain and The Netherlands. Drawn from a representative sample of organisations by size and sector, these are the people on the front line of the business battle against cyber crime. While all are involved to a greater or lesser extent in their organisation’s cyber security effort, 45% make the final decision on how their business should respond.