A study of more than 4,000 organisations across five countries, commissioned by specialist insurer Hiscox, reveals major shortcomings in cyber security readiness at 73% of firms.
The Hiscox Cyber Readiness Report 2018 surveyed a representative sample of private and public sector organisations in the UK, US, Germany, Spain and the Netherlands.
It assessed each organisation according to their cyber security strategy and the quality of its execution – and ranked them accordingly.
Only 11% scored highly enough in both areas to qualify as cyber security ‘experts’ and oly 16% achieved expert status in either strategy or execution, but not both.
Larger organisations lead the way: Larger organisations in the study (those with 250-plus employees) are better prepared. One in five (21%) rank as cyber security experts and a further 17% pass the expert test in either strategy or execution.
Just 7% of smaller organisations (250 or fewer employees) make the grade as experts.
You get what you pay for: The average organisation in the report spends $11.2 million a year on IT and devotes 10.5% of it to cyber security.
However, the organisations that rank as cyber experts spend twice as much on IT as those that failed the test ($19.8 million on average versus $9.9 million) and devote a higher proportion to cyber security (12.6% versus 9.9%).
Smaller firms lack resources, directing on average 9.8% of their IT budget to cyber security compared with 12.2% for larger organisations.
Spending set to rise: 59% of five respondents plan to increase their cyber security budgets in the year ahead. New technology tops the shopping list despite this being the area where the bulk of firms appear best prepared.
The experts lead the way: for example, 55% plan to increase spending on awareness training compared with only 29% of organisations that failed the cyber readiness test.
Evens chance of being targeted: 45% of the organisations surveyed report at least one cyber attack in the past year. Two-thirds of those targeted suffered two or more attacks. Financial services, energy, telecoms and government entities were the prime targets.
Costs range up to $25 million: Among organisations that were targeted in the past year, the average cost of all incidents was $229,000. For organisations with 1,000-plus employees, the average costs ranged between $356,000 in Spain and $1.05 million in the US.
Individual organisations faced still higher costs – up to $20m in the UK and Germany and $25m in the US.
Steve Langan, Chief Executive of Hiscox Insurance Company, commented: “This report shines a light not only on the financial consequences of cyber incidents but also on the enormous investment being made to counter the threat. Importantly, it offers a picture of what best practice looks like.
“Often the answer is not ‘more technology’ but proactive thinking, more rigorous processes and better trained staff. We hope it will serve as a roadmap for all those organisations that still have some way to go.”
The study also shows
Keen awareness of the threat: While many firms may lack adequate defences, two-thirds of respondents rank the cyber threat alongside fraud as a top risk to their business.
US and UK organisations are the most cyber-ready. 13% of US and UK firms rank as cyber experts. The Netherlands emerges as the least cyber-ready country in the report. Only 7% of all Dutch organisations rank as experts.
German firms face costliest incidents. When asked to estimate the cost of their single largest cyber incident, German firms reported the highest average figure, at $5 million.
At the other end of the scale, Spanish organisations contained the cost per incident to a maximum of $800,000.
Experts are more proactive: 89% of cyber experts have a clearly defined cyber strategy, most (72%) make changes after a breach, and nearly all (97%) provide cyber security training for the whole workforce.
72% have conducted phishing experiments on their employees and three out of five (60%) have cyber insurance.
More stakeholder engagement: Cyber experts get support from the top and engage a broader range of stakeholders when setting their organisation’s cyber security strategy.
Experts are more than twice as likely to agree that ‘there is formal support for cyber security from business leaders and executives on an ongoing basis’ (86% versus 38% for organisations that failed the test). More than two-thirds (68%) of cyber experts involve the board and executive management in setting their cyber strategy.
Was this a watershed year for cyber insurance?
The EU’s General Data Protection Regulation (GDPR) comes into force in May and, with tough penalties for the loss of personal data, is expected to boost European take-up of cyber insurance.
The report shows that 33% of respondents currently have standalone cyber cover while a further quarter say they plan to take out cover in the coming year. Financial services firms are currently most likely to report being covered (48%).