Crunching the cyber security numbers

From more spend on systems and training to more financial losses, everything in the world of cyber security is on the up. We look behind these trajectories to understand the true state of the market.

More businesses than ever are calling themselves cyber security experts, more is being spent on cyber security and more employee training is taking place. But, by the way, more businesses are suffering as the result of an attack. So are things getting better or worse? The Hiscox Cyber Security Readiness Report 2020 has analysed what this all means when it comes to the state of the cyber security market.

Number of experts: increased by 8%

The number of firms that qualified as experts nearly doubled in the past year – from 10% to 18%. This is impressive given that a larger number of companies with 1–9 employees, which tend to fall into the ‘novice’ category, were surveyed in this year’s report (almost a third, versus 18% the year before). While messaging around cyber security is starting to take hold, Steve Ridley, Cyber Underwriting Manager at Hiscox UK, is quick to point out that this increase still amounts to “a relatively small proportion of businesses”.

Cyber-security spend: increased by 39%

An increase in spending is yet more evidence that cyber security is becoming ingrained in business operations. But with this figure comes the concern that some companies are using their cyber security budget as a quick fix. To really make your business secure, Steve says, organisations need to change their whole mindset, with cyber security becoming an inherent part of the business: “It’s being part of the day-to-day thinking of everyone in your organisation, from the top down.”

Nevertheless, spending is a good first step, Steve says. The fact that there is “a lag between people implementing spending and starting those early steps of their journey, through to it actually becoming fully embedded in an organisation” could mean that cyber security is heading in the right direction as a strategic investment.

Firms responding to a breach by adding security and training: doubled

On the surface, this looks positive. After all, firms need to spend on security and training to develop that cultural shift. But Steve points out that the focus of this spend and training is not always on point. “Some companies will have a cyber security issue and then get fixated with that, wanting to prevent it from happening again,” he says. “It can be a case of closing the stable door after the horse has bolted as cyber threats don’t necessarily come through the same door.”

Instead, firms need to take a step back – whether they’ve experienced a breach or not – and fully review their cyber security approach. Steve notes that this approach can already be seen in some organisations. “People are starting to look at cyber security more proactively, rather than just after the event. But we’re still not seeing enough companies doing that full analysis.”

Cyber losses: rose nearly six-fold

Hackers will always be one step ahead. They’ve moved from what Steve describes as a “pack it high, sell it cheap” scatter-gun approach, hitting as many people as possible and hoping to get a few bites. Now, attacks are much more targeted, and once hackers are in they’ll take their time to refine their attack.

“Once they’ve got into a network, hackers will figure out if there’s any particularly valuable data within the systems that they could exfiltrate,” Steve explains. “They’ll up the ante from a ransom perspective, and actually charge more of a bespoke ransom amount based on the end piece.”

Regulatory changes, such as the introduction of GDPR, also means the process of responding to an attack is much more costly. “Before, if it was a ransomware incident you’d pay the ransom, restore the back up, and it was wrapped up in a week. Now there’s a lot more investigation: working out what information has gone; what could have happened with it; who’s potentially impacted by it; which regulators you need to notify; and whether there are customers you need to notify. These costs just spiral.”

Impact of Covid-19: still calculating

What the report couldn’t have prepared anyone for was the impact of a global pandemic on cyber security. Steve believes the expediting of remote working will have made lots of companies realise just how reliant they are on their technology and the key role it plays in their organisation. “I think this period we’re going through will only serve to drive that awareness even more, and hopefully lead to a continuing positive trend in terms of how people are managing cyber risk,” says Steve.

These trends do make one thing clear: things are moving in the right direction. Awareness of cyber security is only growing, and this is making businesses more secure today than ever before. Businesses, however, can’t let this upward trajectory lead to complacency. “There will always be new threats,” concludes Steve. “Cyber security remains a process of continuous improvement.”