The Hiscox Cyber Readiness Report 2018

How ready is your business when it comes to the cyber threat?

Countering the cyber threat

Cyber security poses a challenge unlike any other. Businesses large and small, both public and private, face an enemy that is unseen and largely unknown, has seemingly shape-shifting powers and appears utterly unrelenting. Each year brings a renewal of the contest but in a subtly different form. This is an enemy that can be confronted but never quite defeated.

If anyone still harboured doubts about the severity of the threat, the events of the past year should have dispelled them. From the WannaCry ransomware attack to the hacking of one of the world’s largest credit agencies, 2017 produced numerous reminders that operating in a connected world has fearsome perils. The cost of these attacks has undoubtedly run into the billions.

It is an old adage that you should hope for the best but plan for the worst. That is certainly true when it comes to battling cyber crime. In today’s world, there is no alternative to investing in sophisticated prevention and detection systems and supporting them with the people and processes that will make them effective. This study not only reinforces that message but it provides a detailed picture of what cyber readiness really looks like.

This is the second Hiscox Cyber Readiness Report, conducted by Forrester Consulting, and it has been expanded to cover more than 4,100 organisations, large and small, in both private and public sectors, across five countries – the UK, USA, Germany, The Netherlands and Spain.

It puts the spotlight not only on the financial consequences of individual cyber breaches but also on the enormous cost in terms of investment made to counter the threat. Above all, it measures the cyber readiness of respondents using a multi-dimensional model built on best practice in cyber strategy and execution.

As an end of term report, it might have the words ‘can do better’ scrawled on it in red ink. It highlights the cyber readiness shortcomings of the majority of the organisations in our sample, particularly the smaller ones.

On the plus side, however, it offers valuable insights into how firms can up their game and strengthen their defences. Often the answer is not ‘more technology’ but proactive thinking, more rigorous processes and better trained staff.

Hopefully, this report will provide a spur to further action. It is certainly timely. As the following pages show, if an organisation was spared a serious attack in 2017, there is a good chance it will be targeted in the future. The resultant economic loss is only part of the story; the potential harm to a firm’s reputation and its standing with customers can be significantly more damaging.

For an increasing number of organisations, a key part of the solution is to transfer some or all of the risk to an insurer. Hiscox is a specialist provider of cyber and data risk insurance, providing standalone cover to more than 20,000 firms, big and small, around the world under the CyberClear brand. For many of those customers, peace of mind is matched by the knowledge that they can turn to us to help them get back up and running after a serious incident.

As an indication of how seriously we take the issue of customer support in this area, we have just launched a cyber academy, which is designed to aid cyber risk awareness among our customers and improve their ability to detect and respond to cyber threats.

At Hiscox, we will continue to expand our services in cyber and play our part in helping mitigate the impact of cyber crime on our customers. We hope that in aiding understanding of the issues involved, and highlighting cyber readiness best practice, this report contributes to that process.

Gareth Wharton

Cyber CEO

Hiscox Cyber Readiness Report 2018

Download the report

Executive summary

Hope for the best but plan for the worst

We measured organisations’ cyber security readiness according to the quality of their strategy (broken down into oversight and resourcing) and execution (processes and technology). From this we produced a cyber readiness model that divided respondents into ‘cyber novices’, ‘cyber intermediates’ and ‘cyber experts’. Nearly three-quarters of organisations (73%) fell into the novice category, suggesting they have some way to go before they are cyber-ready. Only 11% qualified as experts.
While many firms lack adequate defences, most are keenly aware of the potential impact of a cyber attack. Two-thirds of respondents (66%) rank the cyber threat alongside fraud as the top risks to their business.
The larger organisations in the sample are better prepared: more than one-in-five (21%) of those with 250 employees or more rank as experts. A further 17% qualify as intermediates. US and UK firms generally score better than the rest (13% are experts) while Dutch firms come bottom of the pile (just 7% are experts). Not surprisingly, perhaps, technology, media and telecoms organisations score highly. At the other end of the scale, professional services firms have some catching-up to do.
Organisations with fewer than 250 employees devote a smaller proportion of their IT budgets to cyber (9.8% on average versus 12.2% for larger organisations). In accordance with the findings mentioned above, just 7% of smaller firms rank as cyber experts.
On average, the organisations in our sample had an IT budget of $11.2 million, of which 10.5% was devoted to cyber security. However, the cyber experts had markedly bigger IT budgets than the novices ($19.8 million on average versus $9.9 million) and devoted a higher proportion to cyber security (12.6% versus 9.9%). Some firms spent a lot more – with 37% devoting between 11% and 25% of their IT budgets to cyber. Financial services firms are the largest spenders on cyber, followed by the pharmaceuticals and healthcare sector and then government entities.
What sets the cyber experts apart from the cyber novices? Nine out of ten (89%) have a clearly defined cyber strategy, most (72%) are prepared to make changes after a breach and 97% incorporate security training and awareness throughout the workforce. Seven out of ten (72%) have conducted phishing experiments to gauge employee preparedness and three out of five (60%) say they have cyber insurance.
Almost half (45%) of the 4,103 organisations surveyed were hit by at least one cyber attack in the past year and two-thirds of those targeted suffered two or more attacks. Spanish organisations were the most heavily targeted (57% suffered an attack). Financial services, energy, telecoms and government organisations are prime targets for hackers.
Taking only those organisations that were targeted, the average cost of cyber crime, aggregating all incidents, to each business over the past year was $229,000. But the average masks some wide variations. For the largest organisations in the report (those with 1,000-plus employees), the average costs ranged between $356,000 in Spain and $1.05 million in the US. Some organisations faced still higher costs – up to $25 million in the US and $20 million in Germany and the UK. For the very smallest (those with fewer than 100 employees), average costs ranged between $24,000 in Spain and $63,000 in Germany.
We asked organisations to estimate the cost of their single largest incident. German firms reported the highest average figures with the highest cost for a single incident of $5m. At the other end of the scale, Spanish organisations contained the cost per incident to a maximum of $800,000.
Nearly three out of five respondents (59%) plan to increase their cyber security budgets in the year ahead. New technology tops the shopping list despite this being the area where the bulk of firms appear best prepared. The experts lead the way: for example, more than half (55%) plan to increase spending on awareness training compared with only 29% of novices.
The EU’s General Data Protection Regulation (GDPR) comes into force in May. With tough penalties for the loss of personal data, it is expected to provide a boost to European take-up of cyber insurance. The report shows that one-third (33%) of respondents currently have standalone cyber cover while a further quarter (25%) say they plan to take out cover in the coming year. Nearly two out of five (38%) still say they have no plans to take out cover. Most likely to be covered are financial services firms (48%). The report also reveals considerable confusion over the extent to which firms are covered for cyber incidents under their general business policies.

The incidence of cyber-attack is high

More than half of firms (57%) have experienced an attack in the past year and two in five (42%) have had to deal with two or more. Larger companies, particularly those in the US, are targeted most often. The average cost of the largest cyber security incident experienced ranges from EUR€22,000 for very small German companies to US$102,000 for very large US companies - somewhat lower than the headline figures often seen.
It takes time to get back to 'business as usual'.

Although three out of five businesses (62%) took less than 24 hours to uncover their biggest cyber incident in the past 12 months, and a quarter (26%) did so within an hour of its occurrence, nearly half (46%) of businesses took two days or more to get back to business as usual.
Cyber security spending is on the increase.

The majority of cyber security budgets (59%) are set to increase over the coming 12 months by at least 5% and one in five firms (21%) will lift spending by a double-digit amount. Nearly half (47%) of firms plan to increase spending on staffing by 5% or more.
Attacks prompt more technology spend.

Around a quarter of firms that experienced a cyber-attack in the past year responded by increasing their spending on prevention technologies (24%) or detection technologies (23%), even though most firms already appear to be well invested in both areas.
Smaller firms hit hardest.

While big firms incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for the very smallest companies. Small businesses also appear more complacent than their larger counterparts however, with 29% saying they changed nothing following a cyber security incident compared to larger firms (20%).

In terms of adopting key cyber security initiatives, the gap between larger companies and smaller businesses is greater still. For example, while 62% of larger companies say that practising their crisis communications response is a critical or high priority, only 47% of smaller firms say the same.
More than half of firms rank as cyber 'novices' in the cyber readiness test.

Analysing four dimensions of cyber readiness, we created a Cyber Readiness Model, grading firms as either 'cyber experts', 'cyber opportunists' or 'cyber novices'. The experts accounted for just 30% of the survey group while novices made up more than half (53%), suggesting the majority of companies have some way to go before they can claim to be cyber ready.
Six steps for moving from 'novice' to 'expert'.

Our analysis of the gaps between the experts and the novices highlights six areas where the novices can focus their efforts and make up ground. Most are strategy and process-related and do not involve a major financial outlay. The involvement of top management, more employee training, and systematic tracking and documentation are prominent among them. For most companies, throwing more money at the problem is not the answer.
Momentum builds behind cyber insurance?

The take-up of cyber insurance appears to be set to accelerate sharply in the coming year. Nearly half (46%) of those firms that have yet to insure against cyber risks say they are planning to do so in the next 12 months.

A watershed year for cyber

Commentary by Robert Hannigan

Robert Hannigan is a former director of the UK Government’s Communication Headquarters and was responsible for setting up the UK’s National Cyber Security Centre. He is an adviser to Hiscox.

Last year was the moment when major international cyber attacks hit the headlines and affected individuals and companies simultaneously in dozens of countries.

High profile victims suffered severe reputational and financial damage, sometimes because they had not taken the threat seriously and done the basics, and sometimes because their handling of the breach revealed deeper corporate failings. For smaller companies, the inability to operate, for example after a ransomware attack, was fatal for the business.

If minds were not already focused by this, 2018 promises to be the year when mandatory reporting of cyber breaches raises awareness and reputational risk further, as the EU General Data Protection Regulations (GDPR) come into force. The cyber threat itself is set to grow in volume and severity, as criminal groups gain access to more sophisticated tools and become more reckless. The rapid growth of the ‘internet of things’ will amplify insecurities by adding millions of new devices with minimal built-in security. For those trying to protect against attack, the shortage of cyber skills will continue to be chronic.

Against this background, Hiscox’s Cyber Readiness Report once again gives a fascinating snapshot of how companies have been affected and how prepared they are. Nearly half of the organisations surveyed knew they had been attacked; the rest had either successfully prevented attacks or, particularly in the case of smaller companies, may have missed breaches altogether.

The average losses for companies are substantial: anything from $55,000 for smaller businesses in Germany to $25 million for a large enterprise in the US.

The survey highlights a widening gulf between those who ‘get’ cyber security, take it seriously, and spend appropriately, and those who still regard the issue as someone else’s problem. Cyber security is not an IT issue but rather a risk for the whole organisation; tackling it is more about people, behaviour and culture than clever technology.

Those companies which have successfully prevented attacks or handled them well when they got through, have understood that cyber is a fast-moving but manageable risk. Insurance has a key role to play in helping companies to get that risk management right, both in prevention and incident response.

The growth of the cyber insurance market, especially in the US, underlines this. Together with more assertive activity from regulators in many countries, insurance will help to raise the baseline of security for the whole economy as well as saving many smaller companies from severe damage.

Large UK organisations (more than 250 employees) rank among the most cyber-ready in the study. A quarter of them qualify as cyber security experts. The figure is topped only in the US (26%).

With the largest average IT budgets, UK firms top the table for spending on cyber security. However, the cost of breaches is still among the highest in the survey: for larger UK firms that were targeted in the past year, costs ran to $20 million, with an average of $463,000.

US organisations emerge as the most cyber-ready. Some 30% of US respondents rank either as cyber security experts or intermediates. Nearly half (45%) have a formal cyber security strategy and two-thirds (67%) consistently deploy antivirus or antispyware technologies.

More than half (53%) of the US government entities in the survey report an attack in the past year. Among the larger US organisations that were targeted, the cost of cyber attacks ran to $25 million with the average coming out at $578,000.

German firms are most likely to involve the board in the strategy-setting process (64%, do so), but only 38% have a formal cyber security strategy.

Among the smaller firms in the survey (up to 250 employees), German ones have been hit hardest by cyber crime, with an average cost of $55,000 over the past year. When it comes to individual incidents, German organisations also report the highest cost figures – ranging up to $5 million.

More than four in five (82%) Dutch organisations rank as cyber novices. Despite the fact that they are most likely to have suffered at least three cyber attacks in the past 12 months (experienced by 47% of Dutch respondents), they come bottom of the table for both IT spend and for the proportion devoted to cyber security.

Dutch firms lag in other areas too. For instance, they are least likely to provide cyber security training and awareness programmes across the workforce: only two in five (42%) do so.

Spanish organisations devote the largest proportion of their IT budgets to cyber at 11%. Two-thirds of firms targeted (67%) made changes after an attack (compared with 53% across the five countries).

They are the most heavily targeted, with 57% reporting one or more attacks in the past year. They are most likely to cite external attacks as the most common source of cyber incidents that have interrupted their business in the past 12 months (29% of them).

Cyber Insurance

We work with a range of organisations to better understand the rewards, challenges and day-to-day responsibilities of running your own business. Get a quote for your cyber insurance and buy online today.
More on Cyber Insurance

The Hiscox Cyber Readiness Report 2018

The Hiscox Cyber Readiness Report 2018

Countering the cyber threat

Executive summary

The incidence of cyber-attack is high

It takes time to get back to 'business as usual'.

Cyber security spending is on the increase.

Attacks prompt more technology spend.

Smaller firms hit hardest.

More than half of firms rank as cyber 'novices' in the cyber readiness test.

Six steps for moving from 'novice' to 'expert'.

Momentum builds behind cyber insurance?

A watershed year for cyber

Commentary by Robert Hannigan

Cyber Insurance