As our fifth annual Hiscox Cyber Readiness Report is published, we take a look at some of the key trends and findings.
The report was compiled in collaboration with research firm Forrester. More than 6,000 businesses of varying size from across eight countries were surveyed. Taking the views of executives, IT managers, departmental heads, and other key professionals, the report provides a snapshot of how companies across the world are responding to cyber-crime.
Attacks are on the rise
The percentage of businesses surveyed who said they had experienced a cyber attack rose from 38% to 43% in this year’s report, with many businesses saying they had experienced multiple attacks. In the UK, 69% of respondents who said they had experienced a cyber attack said that this had happened more than once during the last year. Globally, one in six businesses said they felt that the survival of their business was at risk from cyber attacks.
Steve Ridley, Cyber Underwriting Manager at Hiscox UK, says: “What we’ve seen this year is a difference in the size of cyber attacks. The median cost of a cyber attack is about £10,000, but it could be much bigger. The largest breach reported in the survey in 2020 caused a loss of just under £500,000. For a small company, that is a large amount of money and a risk that needs to be taken seriously.”
How do firms combat that problem? “Firms might want to hire someone or use an external expert,” adds Steve. “But it’s clear that companies do need consider the risk and their response.”
Leaving windows open
The survey found that the routes used by cyber criminals to gain access to a business were varied, and that there had been a shift in terms of focus. According to 37% of respondents, the first point of entry had been corporate-owned servers. Cloud-based servers came second (31%), followed by company websites (29%) and employee errors, including phishing scams (28%).
For UK firms, there were a variety of first points of entry, with the country scoring above average on attacks as a result of phishing (32%), attacks on corporate-owned mobile devices (28%) and attacks on company websites (30%). UK businesses also ranked highly in terms of virus outbreaks and loss of encrypted data, although they performed well in their ability to deal with these attacks.
The figures differed depending on which sector was responding to the survey. Professional services, construction and financial services firms cited corporate servers as being particularly susceptible to an attack, whereas customer-facing businesses were more likely to have faced an attack on their websites (such as a DDoS attack).
The survey found that ransomware continues to be a problem, with phishing emails being the main starting point. However, only around one in six of business who said they had suffered a cyber attack said the attack had come in the form of a ransom demand.
Despite the rise in cyber attacks, 27% of respondents globally had standalone insurance in place (an increase of 1% from last year). Adoption of insurance cover was highest among larger organisations and those that were ranked as cyber Experts in our Cyber Readiness Model. Nearly three quarters of companies responding to the survey had no standalone cyber insurance in place, but 34% said that they had cyber coverage as part of another policy.
Increased spending on IT
The survey found that many businesses increased their spending on cyber-crime prevention last year.
While the average IT spend actually fell by $0.3m globally last year, the survey found that more resource had been dedicated towards cyber security. According to the report, the average business now devotes more than a fifth (21%) of its IT budget towards cyber-security, an increase of 63% on last year. In the UK, that means an average of £1.44m ($1.98m) was spent by companies on cyber-crime prevention.
“What we have seen is that there hasn’t been a significant increase in overall IT spending, but the bit that’s ringfenced for cyber has stayed. So in relative terms, companies are spending more on cyber crime prevention,” says Steve.
It pays to be an expert
While many firms had increased their IT spend on cyber protection, the survey found that those who ranked as Experts in our Cyber Readiness Model were far less likely to have suffered significant losses and were able to recover from attacks much quicker.
The Hiscox Cyber Readiness Model categorises businesses into three groups in terms of cyber readiness: Cyber Novices, Intermediates, and Experts. By doing so, it is easier to see where cyber-attacks were most successful and what businesses need to do prevent against losses. “Experts had fewer ransomware attacks, fewer fell victim to phishing emails, and when they were hit they recovered more quickly,” says Steve.
One of the ways companies can protect against cyber-attacks is through employee training. Other solutions involve updating old technology and putting modern prevention systems in place. Half of the UK firms that were considered to be Experts in our Cyber Readiness Model planned to increase their IT spending on new technology, compared to just 20% of Cyber Novices.
It appears that many UK firms recognise the value of having expertise in dealing with cyber threats. British companies registered the second highest proportion of cyber Experts (23%), second only to their US counterparts (25%). That figure grew in larger UK firms, with 33% of them being recognised by the survey as being cyber Experts. And, out of all the countries surveyed, UK firms were found to be the least likely to have experienced an attack (36% said they had) and the most likely to have defended against an attack before it caused any damage (13% vs. 9% of total survey respondents). Conversely, UK SMEs with under ten employees were more likely to be Cyber Novices, with 62% saying they they had little expertise in dealing with cyber threats.
“It may well be easier for larger organisations to spend on improving their cyber-crime proficiency – be it through hiring experts or training staff – but companies of all sizes would benefit from improving their resilience”, says Steve.
“Building that resilience and having expertise isn’t going to guarantee companies aren’t attacked, but it means they’re less likely to fall victim to an attack and, if they do, they should be able to bounce back more quickly,” adds Steve. “It’s not just about avoiding the problem, but about minimising the impact and increasing resilience. The more prepared you are, the safer you are going to be.”
To find out if your firm is cyber resilient, take our online Hiscox Maturity Model.
The full Hiscox Cyber Readiness Report 2021 can be read here.