Hiscox: Cyber Readiness Report 2020
July 2020 featured report:
Cyber risk is one of the biggest issues facing businesses these days. One finding of the 2020 Hiscox report into cyber risk readiness is that there has been real advance in the preparedness of businesses to the threat of cyber attack.
While this is encouraging, there are other more concerning trends. Most importantly is that the cost of criminal activity against businesses is now increasing. The numbers, in terms of ransoms that businesses are paying, are frightening. This is a major problem and won’t go away overnight – if indeed ever.
Readiness alone isn’t enough
Being prepared doesn’t guarantee that you’re secure, but it does increase your chances of defeating an attack if you’ve got the right level of preparedness and put the right measures in place. Hiscox as a cyber insurer believes that the breach is not the end of the process. They reflect that the level of cover that businesses are looking for is not about the cover itself, but they want access to the experts so that they may improve their response for the future.
The first lesson these businesses have learned is that it is not just about dealing with the incident, but to learn from the incident, so that it is more difficult next time for criminals to cause a breach and any losses can be minimised.
Few seeking specialist cover
Another highlight of the report is that more than half of the businesses surveyed still rely on general cover for cyber risk rather than standalone cyber cover. This is odd, because while they probably have fire and theft cover, they’re more than 15 times more likely to suffer a cyber attack than to suffer losses from fire or theft. In the UK, that equates to a 30% chance for a breach compared to 2% for fire and theft.
Employee behaviour remains an important issue that must be addressed. So often it is the cause of the the attack being successful, because people either unwittingly or through malice, open the door for criminals to get in. Hiscox has greatly expanded its Cyber Clear Academy and trained more than 12,000 client employees in cyber risks.
The rise of the cyber expert
In the year since the last survey, the number that qualify as experts within the Hiscox model has leapt from 10% to 18%.
Spending on cyber security is up by almost 40% (39%) with the expert firms spending most and intending to continue to do so. But the losses are increasing. Total cyber losses among the affected firms were $1.8 billion, a 50% increase on the previous year from $1.2 billion. That’s a frighteningly large figure. The median individual cost is $57,000 and in that period, has increased by a factor of six.
There were fewer events, with 39% of firms attacked compared with 61% in 2019. But a massive amount has been withdrawn from businesses. The largest loss in the UK was at a financial services firm that amounted to $87.9 million.
Digitalisation means a greater number of digital touchpoints. This creates more opportunities for criminals, unless implementation projects are fully up to speed on mitigating cyber risk.
“Digital transformation is not a simple process,” says Cisco’s 2019 paper into The Evolution of Cybersecurity and Cyber Risk, “and organisations are faced with workforce, data, standardisation, and of course security challenges.
“For operational environments, every new connection point and source of data is an opportunity – but also a risk. Risk is the critical consideration to an organisation, as security controls are implemented to minimise risk exposure and protect against cybersecurity risk-related threats.
More than 6% of firms have paid a ransom and their losses amounted to $381 million.
Among the group of novice companies, that figure is almost one in five (19%) of those experiencing a cyber event that resulted in them paying a ransom.
Smaller businesses are more vulnerable, and through a lack of readiness and ignorance, are paying the price.
Learn from your mistakes
The good news is that when there’s a breach, businesses are taking action and are adding new security and spending more on their employee training to reduce risk and reduce the opportunities for cyber criminals.
A Chubb study across nine incident types at APAC SME businesses, found that network disruption was often a factor of human error and system faults or malfunctions (see image below). It showed that these were responsible in more than one third (36%) of incidents across the markets surveyed in 2019.
However, malicious activity at small businesses was responsible for a significant proportion. The most common attacks were phishing scams (28%) that tricked employees into clicking on seemingly innocuous links that resulted in the system being compromised.
This problem is global and growing exponentially. The lowest increase between 2019 and 2020 was in France, but the cost increased by a factor of four. The largest increase was in Spain, where it went from a median cost of $5,000 to $74,000. dollars, highlighting how costly this is becoming.
Big companies are targeted most with more than half of all enterprise firms with more than 1,000 employees saying they had a minimum of one cyber incident. They also had the most cyber incidents – the median figure was 100 – and 80 in terms of breaches.
Large companies will be targeted more and it may be that the frequency of attack is in fact higher at smaller companies, but they are not spending time and resource in order to identify them and so go unrecorded.
Hiscox says that failure to spend adequately on cyber security appears to be a common thread. In the majority of sectors, it was big firms with more than 700 computers that devoted less than 8% of their IT budget to cybersecurity that became super targets.
The most highly targeted sectors are financial services, manufacturing and technology, media and telecoms, and 44% of firms in each sector reported at least one incident or breach. Perhaps unsurprisingly, these are also the the sectors that are best prepared as far as the model that Hiscox has developed is concerned, which just indicates how heavily targeted they are.
However, 11% of businesses did not know how many times they had been targeted, up from 4% the previous year. The largest percentage of don’t knows was 15% among enterprise firms with more than 1,000 employees. That is not only a worrying figure, but a worrying trend if that number has trebled over the past year.
Standards are rising
Part of the reason for the increase in cyber readiness has been the inclusion of businesses from the Republic of Ireland. This is the first time they’ve been included and 24% qualified as experts, with 89% of them having a dedicated cyber risk team. That may be because so many technology and financial services businesses are headquartered or registered in Ireland, and they they are therefore more aware of this.
Despite showing earlier a lower rate of increase, France has spent the past year trebling the number of expert firms from 6% to 18%, having been seen as behind the curve in previous surveys.
While there are a number of things that businesses can do such as forming dedicated cyber risk teams, learning from breaches and not relying on general cover, some of it is getting the basics right, first.
Firstly, identify every device in the organisation that could be breached and backup the data up off site.
Then, make sure all virtual doors and windows are closed. The US National Institute of Standards and Technology has created five imperatives for a successful cyber framework – identify, protect, detect, respond and recover. This is a useful checklist for businesses to bear in mind when creating their own framework.
Engagement as important as spending
Throwing money at the problem isn’t necessarily the answer, but penny pinching is a false economy. The more people a company has dedicated to cyber security, the more likely it will become an expert in the area.
The reason that novice companies suffer breaches is because they don’t have the training to make them aware of the risks. A lack of resources is only partly the issue. Almost three quarters of the micro businesses ranked as experts intended to prioritise a rollout of the effective employee training over the coming year.
Among the experts, nine out of 10 agreed that cyber security was a top priority for their executive management. Only half of novice firms would say the same.
When it comes to priorities for the coming year, only a quarter of micro firms ranked as novices recognised the need to enhance executive management engagement in their policies on cyber security.
Resilience is the key
Ultimately, you need to build resilience. No business will ever be completely secure, but preparing for a breach, testing for it and having the capability to respond quickly and effectively will build resilience.
Having a standalone cyber insurance policy helps build that resilience through having certainty of your cover, the access to the specialist expertise, risk assessment, crisis management and training at the insurer.
For more, see the full report.
Link to full report:: click here
Link to source:: click here