Are businesses prepared for growing cyber threat?

Hiscox study finds widespread shortcomings and significant variations in how prepared companies are to deal with a cyber attack.

More than half of businesses (53%) are ill-prepared to deal with cyber attacks, according to a recent Hiscox study, which also found that more than half of firms (57%) have experienced a cyber attack in the past year, while more than two in five (42%) have suffered two or more attacks.

The biggest cyber security challenge facing businesses is the "changing/evolving nature of threats", states the The Hiscox Cyber Readiness Report 2017, which surveyed 3,000 small to large businesses in the UK, Germany and the US.

Impacting business performance

External attacks targeting their organisation are regarded by respondents as being the cyber events that would have the biggest impact on their business performance; internal incidents, such as an insider threat or HR incident, came second, followed by the loss of a smartphone or tablet. Most firms are stepping up their cyber security spending, with new security technology coming top of their priority list, followed closely by employee awareness training.

More than half of businesses (53%) are ill-prepared to deal with cyber attacks, according to a recent Hiscox study

Assessing cyber readiness

The report set out to assess firms according to their cyber readiness in four key areas – strategy, resourcing, technology, and process – and rank them accordingly as experts or novices. It concluded that 53% were novices in their overall cyber readiness, while less than a third (30%) qualified as being expert. Larger companies were disproportionately more likely to be classed as experts, and, of those, almost half are US companies.

Overall, the firms surveyed scored highest for cyber readiness in technology. “This may reflect that technology tends to be the easier solution to implement, either by outsourcing and/or spending more,” says Matthew Webb, Hiscox’s Head of Cyber. “Also, cyber risk has historically sat within the IT department and they are more likely to deploy technology in response to a problem.”

One telling feature of the rankings is that while directors and executives make up 20% of the survey sample, they account for 23% of the novice group and only 16% of the experts. “We see this dynamic fairly often,” says Webb. “The IT department back themselves to be bullet proof or have all the controls and risk management in place, while the board tends to have a more realistic view of what they are, or are not, doing.”

Cyber complacency?

The report also reveals a worrying disconnect between firms’ perception of their own ability to resist a cyber attack and their actual level of cyber readiness. Although the report highlighted the majority of firms as being novices, 75% said they are “very confident with their cyber security readiness”. “There is a real risk of complacency here,” says Webb, “with firms perhaps overestimating their cyber readiness. As our Cyber Readiness Model shows, more firms need to target ‘expert’ status, which typically means getting more top level buy-in to their cyber security strategy, as well as developing a cross-functional approach throughout their organisation. Other steps they can take include more employee awareness training and better use of security metrics. It’s also perhaps no surprise that ‘experts’ spend a higher proportion of their revenue on cyber prevention and mitigation.”


The report also reveals a worrying disconnect between firms’ perception of their own ability to resist a cyber attack and their actual level of cyber readiness.

Is cyber insurance on the increase?

More firms are buying cyber insurance, the study shows, with 40% of firms saying they have taken out a policy. The figure is highest in the US, at 55%, while nearly two-thirds (64%) of the ‘expert’ companies say they are insured for cyber risks. “These figures are slightly higher than our forecasts,” says Webb. They may reveal a lack of understanding of what actually constitutes cyber cover, he says, with many businesses perhaps believing they are covered for cyber attacks through other insurance policies. “For example, more than a fifth (21%) of financial services and travel and leisure firms say they already get cyber insurance as part of their other insurance cover.”

Insurance policies are still too complicated

Nearly one in five (17%) of those firms which have no plans to take out cyber insurance agree with the statement that “cyber insurance policies are so complicated – I don’t understand what cyber insurance would cover me for”, the report finds. “This is clear evidence that there is a huge need for education around what cyber insurance can offer, while there is also a big trust issue with some 29% of businesses who have not bought cover saying they would not trust their insurer to pay out in the event of a cyber claim. As an industry we must work together to make cyber cover as clear and as accessible as possible,” concludes Webb.

Hiscox commissioned Forrester Consulting to survey more than 3,000 executives, departmental heads, IT managers and other key professionals responsible for the cyber security decisions at their companies in the UK, US and Germany (1,000-plus in each country). Respondents were drawn from a representative sample of businesses by size and sector. The online survey was completed between 16 November and 5 December 2016.

All comments