Despite a year dominated by huge data breach stories – not least the Wannacry attack – seven out of ten businesses failed our latest cyber readiness test, designed to measure how well organisations are prepared to deal with the cyber risk. In our new Hiscox Cyber Readiness Report 2018 – a study of more than 4,000 organisations across the UK, US, Germany, Spain and the Netherlands – we found major shortcomings in cyber security readiness at nearly three-quarters (73%) of firms.
For small to medium sized UK businesses of less than 250 employees, the failure rate was higher at 78%, although we can at least take some comfort that the UK performed slightly better than the other countries in the survey apart from the US whose small to medium sized businesses were at 77%.
Smaller businesses just as vulnerable
As a smaller firm – those with 1-19 employees – should this be a worry? Despite bigger organisations being targeted more often by hackers – across our survey, nearly half (45%) of all businesses had been hit by at least one cyber attack over the last 12 months – just over a quarter of smaller firms (27%) said they had been attacked, although another 6% said they didn’t know.
Of those SMEs hit by an attack, more than half (51%) were hit more than once in the 12 month period. The most likely method of attack was given by 14% as a virus/worm infestation while ransomware was mentioned by 7%. Particularly interesting is how a cyber attack can hit day-to-day operations with nearly two fifths (38%) of smaller businesses saying it took more than eight hours to return to business as usual, including 13% who took up to a week. Research from 2017 suggests that small businesses take longer to recover from cyber attacks than their larger counterparts. Even a day’s disruption can have a significant impact on the fortunes of a smaller business.
Smaller businesses know they need to invest more
The good news is that, increasingly, SMEs recognise the need to invest more in their digital security, alongside expenditure on small business cover for physical assets. The average business in our survey spends 10.5% of their IT budget on cyber security with larger organisations spending 12.2%. Smaller firms however spend the least at 8.9% of their IT budget although over half (52%) are looking to increase their IT security spending in the next 12 months.
At the top of the shopping list for 53% of respondents will be an investment in new security technology. Surprisingly perhaps, and given how effectively it can help combat the cyber threat, 42% of smaller firms expect to spend less on employee awareness training over the next 12 months. Almost all the businesses classed as cyber experts in our survey are characterised by the very high levels of training and awareness they provide for their employees and are convinced that it has reduced the number of disruptive cyber incidents.
Upcoming cyber challenges
Later this year, of course, comes the implementation of the EU’s General Data Protection Regulation (GDPR) which beefs up the financial and regulatory penalties against businesses for loss of, or failure to adequately secure, clients’ personal data. Despite this, 45% of the smaller businesses we surveyed are either neutral or don’t agree that GDPR is a top priority for them. As Robert Hannigan – the former Director of the UK Government’s Communications Headquarters (GCHQ) – points out in our report, mandatory declaration of cyber breaches under GDPR is likely to raise, still further, the reputational risk to businesses from a successful cyber attack.
Research was conducted by Forrester Consulting on behalf of Hiscox from October to November 2017.