The Hiscox Cyber Readiness Report 2017

How ready is your business when it comes to the cyber threat?

A unique gauge of cyber readiness

It is an old saying, but a true one: prevention is better than cure. In the age of e-commerce and the connected business, it has a particular ring to it. Robust defences against cyber intruders and strong processes for eliminating careless or rogue behaviour internally are now the keys to business continuity and consumer trust. Without investment in prevention, detection and training, firms leave themselves exposed to costly business interruptions and possible brand impairment.

But just how well prepared are most businesses? For the first time, we surveyed those at the sharp end of the battle against cyber crime – the executives, managers and IT specialists in charge of cyber security within their companies – to find out. We commissioned Forrester Consulting to survey more than 3,000 of these people in the US, UK and Germany, drawn from a representative sample of organisations by size and sector. As such, this report can be considered as one of the most authoritative of its kind.

The study also provides new perspectives on the scale of the challenge firms face in terms of frequency of attack, financial loss and the time it can take to get back to ‘business as usual’ following a cyber incident. The ripple effects from an attack can have a long lasting impact to reputation and client relationships that go well beyond the immediate financial cost.

Importantly, this report also offers a series of practical recommendations for those businesses that still have work to do when it comes to preparing for the cyber risk. Our Cyber Readiness Model, built on the responses from every company we surveyed, provides a unique gauge of cyber readiness across the three countries and a touchstone of best practice for others to follow. These recommendations focus in the main on strategy and process. They are not intended as a prescription for throwing more money at the problem but as a roadmap to better practice.

One part of the solution, adopted by an increasing number of organisations, is to transfer the cyber risk to an insurer. The report shows that while a large number of firms have already gone down this route, and many more are preparing to follow, the insurance industry still has a job to do in instilling trust in its policies, delivering clarity over what they cover and simplifying the way they are written.

At Hiscox our aim is to continue to play a constructive role in helping our clients understand and manage the cyber challenge. I hope this study serves as both an informative and useful guide for every business striving to reduce its exposure to cyber risk.

Steve Langan

Chief Executive, Hiscox Insurance

Hiscox Cyber Readiness Report 2017 Download the report

Executive summary

  • More than half of firms (57%) have experienced an attack in the past year and two in five (42%) have had to deal with two or more. Larger companies, particularly those in the US, are targeted most often. The average cost of the largest cyber security incident experienced ranges from EUR€22,000 for very small German companies to US$102,000 for very large US companies - somewhat lower than the headline figures often seen.

  • Although three out of five businesses (62%) took less than 24 hours to uncover their biggest cyber incident in the past 12 months, and a quarter (26%) did so within an hour of its occurrence, nearly half (46%) of businesses took two days or more to get back to business as usual.

  • The majority of cyber security budgets (59%) are set to increase over the coming 12 months by at least 5% and one in five firms (21%) will lift spending by a double-digit amount. Nearly half (47%) of firms plan to increase spending on staffing by 5% or more.

  • Around a quarter of firms that experienced a cyber-attack in the past year responded by increasing their spending on prevention technologies (24%) or detection technologies (23%), even though most firms already appear to be well invested in both areas.

  • While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts however, with 29% saying they changed nothing following a cyber security incident compared to larger firms (20%).

    In terms of adopting key cyber security initiatives, the gap between larger companies and smaller businesses is greater still. For example, while 62% of larger companies say that practising their crisis communications response is a critical or high priority, only 47% of smaller firms say the same.

  • Analysing four dimensions of cyber readiness, we created a Cyber Readiness Model, grading firms as either 'cyber experts', 'cyber opportunists' or 'cyber novices'. The experts accounted for just 30% of the survey group while novices made up more than half (53%), suggesting the majority of companies have some way to go before they can claim to be cyber ready.

  • Our analysis of the gaps between the experts and the novices highlights six areas where the novices can focus their efforts and make up ground. Most are strategy and process-related and do not involve a major financial outlay. The involvement of top management, more employee training, and systematic tracking and documentation are prominent among them. For most companies, throwing more money at the problem is not the answer.

  • The take-up of cyber insurance appears to be set to accelerate sharply in the coming year. Nearly half (46%) of those firms that have yet to insure against cyber risks say they are planning to do so in the next 12 months.

  • The incidence of cyber-attack is high

    More than half of firms (57%) have experienced an attack in the past year and two in five (42%) have had to deal with two or more. Larger companies, particularly those in the US, are targeted most often. The average cost of the largest cyber security incident experienced ranges from EUR€22,000 for very small German companies to US$102,000 for very large US companies - somewhat lower than the headline figures often seen.

  • It takes time to get back to 'business as usual'.

    Although three out of five businesses (62%) took less than 24 hours to uncover their biggest cyber incident in the past 12 months, and a quarter (26%) did so within an hour of its occurrence, nearly half (46%) of businesses took two days or more to get back to business as usual.

  • Cyber security spending is on the increase.

    The majority of cyber security budgets (59%) are set to increase over the coming 12 months by at least 5% and one in five firms (21%) will lift spending by a double-digit amount. Nearly half (47%) of firms plan to increase spending on staffing by 5% or more.

  • Attacks prompt more technology spend.

    Around a quarter of firms that experienced a cyber-attack in the past year responded by increasing their spending on prevention technologies (24%) or detection technologies (23%), even though most firms already appear to be well invested in both areas.

  • Smaller firms hit hardest.

    While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts however, with 29% saying they changed nothing following a cyber security incident compared to larger firms (20%).

    In terms of adopting key cyber security initiatives, the gap between larger companies and smaller businesses is greater still. For example, while 62% of larger companies say that practising their crisis communications response is a critical or high priority, only 47% of smaller firms say the same.

  • More than half of firms rank as cyber 'novices' in the cyber readiness test.

    Analysing four dimensions of cyber readiness, we created a Cyber Readiness Model, grading firms as either 'cyber experts', 'cyber opportunists' or 'cyber novices'. The experts accounted for just 30% of the survey group while novices made up more than half (53%), suggesting the majority of companies have some way to go before they can claim to be cyber ready.

  • Six steps for moving from 'novice' to 'expert'.

    Our analysis of the gaps between the experts and the novices highlights six areas where the novices can focus their efforts and make up ground. Most are strategy and process-related and do not involve a major financial outlay. The involvement of top management, more employee training, and systematic tracking and documentation are prominent among them. For most companies, throwing more money at the problem is not the answer.

  • Momentum builds behind cyber insurance?

    The take-up of cyber insurance appears to be set to accelerate sharply in the coming year. Nearly half (46%) of those firms that have yet to insure against cyber risks say they are planning to do so in the next 12 months.