A recent report from insurers Hiscox has found that many companies are still inadequately protected against cybercrime, and that its SMEs who are hardest hit by it – and least prepared.
Disturbing Statistics
The report by Hiscox used data gathered by Forrester Consulting, who were commissioned to survey the individuals in charge of cybersecurity at 3,000 companies in Germany, the UK and the US.
Worryingly, more than half (57%) of respondents said they had experienced a cyber-attack in the past year, while 42% have had at least two incidents in that period. A small but significant minority – 11% reported they’d had five attacks or more.
The US companies seemed to have suffered most, while the UK firms were least likely to have experienced an attack in the past 12 months. 45% said they hadn’t had any incidents in the last year. As regards sectors, in the UK, the technology, media and telecoms sectors appeared to be the most regular targets for hackers, with 45% of those firms reporting two or more attacks in the past year.
Battle Readiness
To assess how well-defended companies were against cybercrime, Hiscox created a Cyber Readiness Model. This used a quantitative analysis covering four areas of cyber readiness – strategy and oversight, resourcing, technology and process. Scores from these areas were then used to rank firms into ‘cyber novices’ (those with the least developed approach to cyber readiness), ‘cyber opportunists’ (firms that are well prepared in some, but not all, areas) and ‘cyber experts’.
Unfortunately, only 30% of the survey group ranked as experts; 49% of companies ranked as cyber experts were from the US. Meanwhile, novices made up more than half (53%), suggesting the majority of companies have some way to go before they can claim to be cyber ready. Novices were a little more evenly distributed between all three countries, with most (39%) found in Germany, followed by the UK (36%) and the US (25%).
SMEs: Greater Impact, Higher Risk, More Complacency, Poorer Defence
The Hiscox report also found, in common with other cybersecurity reports in recent years, that it’s the smaller companies who are the most vulnerable – and the least well-prepared.
It found that “the financial impact of cyber-attacks is disproportionately high for the very smallest companies,” (those with fewer than 100 employees). The cost per incident for these smallest companies wasn’t appreciably less not appreciably less than the cost for those in the next size tier, and far higher per-employee than for the largest companies. In the UK, the average cost of a cyber security incident for the very smallest organisations was 41% of the average cost for the largest companies, which were at least ten times the size.
These figures make it even more surprising that the report found small businesses “more complacent than their larger counterparts.” 29% of small businesses said they had made no changes at all following a cyber security incident, compared to 20% larger firms.
The gap between larger companies and smaller businesses was even more evident when it came to adopting cyber initiatives. While 62% of larger companies said that practising their crisis communications response was a critical or high priority, only 47% of smaller firms said the same.
More companies, however, are insuring themselves against cyber risk, proving that they are starting to realise what a devastating impact cybercrime can have. 40% of respondents said they already had cyber cover, with another 28% planning to follow suit in the next year.
“It is an old saying, but a true one: prevention is better than cure,” says Steve Langan, Chief Executive at Hiscox. “Robust defences against cyber intruders and strong processes for eliminating careless or rogue behaviour internally are now the keys to business continuity and consumer trust. Without investment in prevention, detection and training, firms leave themselves exposed to costly business interruptions and possible brand impairment.”