Cyber security preparedness examined in Cyber Readiness Report 2017

Published: Monday, 13 February 2017 08:32

A study of 3,000 companies in the UK, US and Germany, conducted for specialist insurer Hiscox, reveals that more than half (53 percent) of businesses in the three countries are ill-prepared to deal with cyber attacks. The Hiscox Cyber Readiness Report 2017 assessed firms according to their readiness in four key areas: strategy, resourcing, technology and process; and ranked them accordingly. While most companies scored well for technology, fewer than a third (30 percent) qualified as ‘expert’ in their overall cyber readiness.

Findings included:

US firms come top: Nearly half of the top-ranked companies or ‘cyber experts’ (49 percent) are US-based, with a heavy weighting to multinationals and other large organizations. Larger US firms are also targeted more often than others with 72 percent experiencing an attack in the past 12 months and nearly half (47 percent) of all US firms experiencing two or more. More than half (55 percent) say they have cyber insurance.

German firms lag: German companies make up the biggest group of bottom-ranked firms or ‘cyber novices’ (39 percent of the total). Only 43 percent of German companies believe their government is doing enough to protect them from cyber attack (compared with 62 percent in the US and 48 percent in the UK). German firms are also least likely to have cyber insurance (30%).

UK firms targeted less, but are slow to respond: UK firms are least likely to have experienced a cyber attack in the past year (45 percent). But more than a third (35 percent) say they have changed nothing following a cyber security incident.

Momentum builds behind cyber insurance: overall, 40 percent of firms say they have taken out cyber insurance, a higher figure than generally quoted elsewhere. The figure is highest in the US, at 55 percent, while nearly two-thirds (64 percent) of the ‘expert’ companies say they are insured for cyber risks. These higher than expected take-up figures may also reflect confusion over what exactly constitutes cyber insurance cover with some companies believing they are protected under their existing insurance coverage.

Incidence of attacks is high: more than half (57 percent) of firms have experienced a cyber attack in the past year and two in five (42 percent) have had to deal with two or more. Larger companies are targeted most often. Nearly half (46 percent) of businesses took two days or more to get back to business as usual. That said, the time taken to complete an investigation and any remedial work could take longer.

Costs range to over £500,000 per incident: the average cost of the largest cyber security incident experienced in the past year ranges between €22,000 for the very smallest German companies to $102,000 for the largest US companies. Several firms report individual incidents costing £500,000 plus. These figures only consider the direct costs of an incident – the impact on business reputation and customer confidence can be much greater.

Cyber security spending is rising fast: the majority of cyber security budgets (59 percent) are set to increase by 5 percent or more over the coming 12 months while one in five firms (21 percent) will lift spending by a double-digit amount. Attacks prompt more spending on technology. Around a quarter of firms that experienced a cyber attack responded by increasing their spending on prevention or detection technologies (24 percent and 23 percent respectively).

Smaller firms hit hardest: while big firms incur the highest costs in nominal terms, the financial impact of cyber attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts, with 29 percent saying they changed nothing following a cyber security incident (compared with 20 percent of larger firms). Smaller firms are also more reluctant to adopt key cyber security initiatives.  

Board members are behind the curve: directors and executives scored less well in the survey rankings than respondents involved in IT or finance, suggesting more needs to be done to raise awareness of cyber issues among top management.

The study draws on the example of the ‘expert’ companies to construct a blueprint for cyber readiness. There are six areas highlighted in the report where firms should focus their efforts to make up ground: including more employee training, the tightening up of technology and the transfer of risk by way of cyber insurance.

A full copy of The Hiscox Cyber Readiness Report 2017 can be accessed at www.hiscox.co.uk/cyber-readiness-report