image showing business woman holding laptop in dark room

The Hiscox Cyber Readiness Report 2023


53% of companies reported a cyber attack in the past 12 months

Amid high inflation and rising interest rates, our seventh annual Hiscox Cyber Readiness Report reveals how businesses are handling cyber risks in a difficult economic climate.

While cyber security remains a pressing issue, fewer countries now rank it as their top business priority. Perhaps unsurprisingly, our report reveals economic factors and competition have gained more focus.

The proportion of companies facing attacks has also climbed for the third straight year, with smaller businesses hit particularly hard.

But while cyber attacks have slipped down priority lists and affected more businesses, there are still some signs of improvement.

The median cost of attacks has dipped slightly, our report reveals. What’s more, firms have significantly raised their cyber security spending over the past three years.

The Hiscox Cyber Readiness Report offers a unique gauge of the state of commercial cyber security across eight markets – the UK, the US, Spain, the Netherlands, Germany, France, Belgium and Ireland.

In 2022, we showed how companies were adapting to a post-pandemic world of hybrid working and cloud servers. One year on, attacks remain high. Yet the business community continues to recognise the threat despite economic uncertainties.

International data reveals third straight rise in attacks

The results of our 2023 report arrive as businesses adapt to economic challenges at home and abroad. High inflation and interest rates have combined with weak growth to leave an uncertain financial environment.

Our research paints a mixed picture of the eight international markets we cover. It shows:

  • The majority of businesses have faced cyber attacks. The proportion has risen for the third year in a row, from 48% to 53%.
  • Smaller companies continue to be hit hard. Around a third (36%) of businesses with fewer than 10 employees have been attacked, our report reveals. This figure is up by more than half over the last three years.
  • Fewer countries name cyber risk as their top priority. Five out of eight countries now say it’s their main business risk, down from seven. Economic issues and competition have risen up the agenda.
  • Fraud is the largest cyber threat. Payment diversion fraud has caused financial losses for one in three (34%) firms.
  • Business email compromise is the top way of gaining access. Corporate and cloud servers are the next most popular routes for hackers.
  • The median cost of attacks has dipped. It’s now just over $16,000, compared to nearly $17,000 last time.
  • Big losses remain common. Costs have reached $250,000 or more for 12% of attack victims.
  • Median cyber security spending has grown. Over three years, it’s climbed 39% to $155,000. Over a two-year period, the figure has quadrupled for firms with fewer than 10 employees.
  • Fewer ransomware victims are paying up. Under two thirds (63%) have met ransom demands, down from 66%.

UK businesses amongst least likely to face cyber attacks

When focusing specifically on the UK, our data reveals some encouraging trends. UK businesses are second only to Belgium as least likely to encounter cyber attacks. However, the rate remains high, with 48% of companies attacked once or more.

Meanwhile, median costs have fallen considerably when it comes to both overall attacks and the single largest attack. For 43% of businesses, the maximum cost of a single attack is now under $5,000. This figure was only 35% last time round.

Our other UK findings show:

  • Companies have faced a median of six attacks. This is double the previous figure.
  • Business email compromise is the most common entry point. The same goes for companies in Germany and the US. The figure is highest among food and drinks firms, at 64%.
  • IT resource misuse is the most common result of an attack. Almost one in three (29%) firms have reported this. The rate is highest among energy firms, at 54%.
  • Regular security evaluations are the most common reaction to an attack. Some 37% of firms have adopted this approach following incidents.
  • More than half of firms feel more vulnerable due to remote working. Pharmaceutical and healthcare companies agree with this the most (74%), our data shows.
  • Businesses spend a median of $605,000 on their overall IT budgets. This figure is highest in the financial services industry, at more than $9,848,000.

image showing graphic that reads: UK businesses experienced a median of six cyber attacks across 12 months

graphic that reads: 48 per cent of UK businesses reported experiencing at least one cyberattack in the last 12 months

graphic that reads: 59 per cent of UK organisations agree that they are more vulnerable to cyberattacks due to employees working remotely

The Cyber Threat Ranking Table

Tackling cyber crime: How prepared is your line of work?

As attacks continue to rise, it may help to understand your company’s place in the cyber security landscape.

Our Cyber Threat Ranking Table highlights the main risks UK firms face, according to sector, and how equipped each industry is.

It looks at the number and costs of cyber events, alongside the strength of protection, to sort the cyber superstars from those playing catch-up.

The data comes from the UK arm of the Hiscox 2023 Cyber Readiness Report, with each sector given a ‘risk score’. This is based on how optimistic business leaders are about their ability to deal with future cyber attacks.

Our Cyber Threat Ranking Table also looks at companies by business size, showing the scale of the challenge for smaller UK firms.

Whether you own a small business or work within the security department of a major corporation, this resource provides a quick way to gauge the threats you, and your peers, are facing.

Cyber readiness by business sector - figures given in risk scores
Industry Percentage of IT budget spent on cyber security  The number of organisations that have experienced one attack or more Companies with a cyber insurance policy Does your organisation have a dedicated cyber role  Reviewing cyber insurance policies  Implementation of systems to detect unauthorised activity  Median financial cost of cyber events $ (last 12 months)  Risk Score
Professional services 7 4 7 7 7 6 7 45
Business services 7 3 7 7 4 7 2 37
Construction 7 8 5 5 7 4 8 44
Property 7 4 7 6 7 10 10 51
Energy 6 8 5 4 8 3 6 40
Financial services 5 7 5 4 7 4 6 38
Manufacturing 7 10 5 5 4 5 5 41
Pharma and Healthcare 5 10 5 5 8 8 8 49
Retail and Wholesale 5 10 6 6 4 5 5 41
Technology, Media & Telecommunications 5 4 5 5 4 4 4 31
Transport and Distribution 7 4 6 5 5 7 1 35
Travel and Leisure 5 7 5 7 10 5 9 48
Government/Non-profit  7 10 5 6 4 8 1 41
Food and Drink 8 10 5 7 3 8 4 45

 

Cyber readiness by business size - figures given in risk scores
Business size  Cyber budget (%) The number of attacks an organisation has experienced (Median) Cyber insurance policy (%) Dedicated cyber role (%) Cyber policy (%) Cyber attack detection (%) Median financial cost of cyber events $ (last 12 months) Risk Score
1-9 employees 7 5 7 8 7 4 10 48
10-49 employees 7 3 5 5 6 5 10 41
50-249 employees 5 4 4 4 4 6 8 35
250-999 employees 5 4 4 4 5 5 4 31
1000+ employees 5 10 4 4 6 6 1 36

* Disclaimer: The property, energy, food and drink, travel and leisure sectors in the UK used sample sizes of less than 50, therefore the data for these sectors may not be representative.

What the Cyber Threat Ranking Table shows

Property sector takes highest risk score

Property now has the highest risk score (51) of all the sectors included in our research. It overtakes travel and leisure, which scored 48 both last year and this year. It’s followed by pharma and healthcare, whose score has climbed from 39 to 49 over the past year. The food and drink industry also faces a higher risk score than last year, rising from 31 to 45.

On a more positive note, a range of industries have reduced their risk scores since our last check-in.

These include:

  • Technology, media and telecommunications. This now has the lowest risk score of all sectors, falling from 33 to just 31.
  • Financial services. This year’s score of 38 marks an improvement from 39 last time round.
  • Business services. The latest risk score of 37 is lower than last year’s 42.

Overall, the government and non-profit sector has endured the most cyber attacks this year, with a median of 37.5. It’s also faced the highest cost per organisation, recording a median of $74,717. Across all businesses, the median cost comes to $24,200.

Financial services firms are the most likely to have dedicated cyber security roles, at 59%. This score stands at 46% across all businesses.

Smallest firms face biggest risk scores in 2023

When ordered by business size, it’s the smallest firms who take the highest risk scores. Those with one to nine and 10-49 employees come out on top, with respective scores of 48 and 41. These are up from 39 and 37 last year.

At the other end of the scale, those with more than 1,000 staff members have seen their risk score fall from 38 to 36. Firms with 250-999 employees have the lowest overall score (31).

Businesses with 50-249, 250-999 and over 1,000 employees spend the highest percentage of their IT budgets on cyber security, at 20%. The median across all UK businesses is now 19%.

Elsewhere, organisations with 50-249 employees now have the strongest uptake of cyber insurance. More than half (53%) say they have cyber insurance in place. This is higher than the figure of 37% for all businesses.

How the Cyber Threat Ranking Table works

The Cyber Threat Ranking Table orders the threat by industry – the higher the total risk score, the more exposed your sector is, according to our statistics.

The data is taken from the UK arm of the Hiscox 2023 Cyber Readiness Report. This research shows that attacks remain common, despite significant spending on IT budgets.

As the table reveals, these trends are not spread evenly – for some sectors, increased investment has been enough to counter threats, but others remain more exposed.

At Hiscox, we know every small business is unique. Consultants, graphic designers and builders can all face different cyber threats. The column showing the number of organisations experiencing attacks will tell you how common they are in your line of work.

Some cyber attacks are far costlier than others and big breaches tend to target certain sectors. Explore the ‘cost of cyber events’ column to see the median cost for your industry during the year to 2023.

The table also illuminates key differences in cyber security investments. These include security budgets, roles dedicated to cyber risks and spending on cyber insurance.

The value of learning lessons

The 2023 Hiscox Cyber Readiness Report offers a mixed set of results. On the one hand, more businesses are encountering cyber attacks, with smaller-scale firms at particular risk. On the other, cyber security spending continues to grow and fewer firms are giving in to ransomware demands.

Whatever your sector and business size, our research aims to shine a light on the potential areas in need of attention. It could ultimately help your company to pinpoint specific risks and guard against complacency.

*Data collected from a global study and all figures presented in US dollars.

Read more about what Hiscox can offer