Big business sees 10% hike in cyber incidents19th April 2021
Hiscox’s latest Cyber Readiness Report reveals the financial and reputational risks large businesses face from a rising frequency of cyber incidents says Andrew Lewis – Lead Cyber Underwriter for Hiscox London Market.
The pandemic disruption may have damaged the financial health of many organisations but for those threat actors involved in targeting the cyber vulnerabilities of large firms, the disruption created potential opportunity.
Hiscox’s latest Cyber Readiness Report 2021 reports a 10% increase in cyber incidents over the previous year, with 61% of large and enterprise organisations – businesses of over 1000 employees – suffering at least one attack over the past 12 months, and nearly half (47%) experiencing a cyber attack six or more times.
61% of large and enterprise organisations – businesses of over 1000 employees – suffering at least one attack over the past 12 months, and nearly half (47%) experiencing a cyber attack six or more times.
While the top three causes of incidents were virus outbreak (non-ransomware) at 38%, DDoS (32%), and business email compromise (30%), ransomware is now commonplace with 19% of the businesses attacked reporting they had experienced a ransomware incident, with around 1 in 4 of those targeted paying a ransom to prevent the publishing of sensitive data.
Look beyond the headline figures for the report however, and there are some other key cyber readiness themes emerging around areas like brand reputation, building cyber resilience and, of course, the likely longer-term impact of the pandemic on cyber security.
In the last year or so cyber incidents have hit the mainstream news more often which is having a corresponding effect on brand impact. It’s a rare week that goes by without widespread coverage of a big business dealing with some form of cyber incident and, as a result, a quarter of large firms now report bad publicity and a negative impact on their brand and reputation following an incident – up from 10% the previous year.
It’s no surprise that enterprise-scale firms, many of whom are global brands, should be particularly vulnerable to brand damage, which is why nearly three quarters (74%) agree they will damage their brand if they don’t handle client and partner data securely. These concerns are further reinforced by the Hiscox findings that show 19% of those businesses that suffered a cyber attack saw a reduction in business performance indicators, while 19% also reported that they had lost customers. It’s tangible evidence of the negative impact on business brands if they experience a cyber incident.
Audits are down
Given those brand issues, it’s a concern that there are some signs that fewer firms are taking decisive action to build their resilience following a breach, with only 22% among those who had been attacked saying their cyber security and/or privacy arrangements are regularly evaluated – down from 33%. It’s possible that security audits have become more difficult during the pandemic, with less third-party assurance work undertaken. A gap in that work will create uncertainty for cyber insurance underwriters when considering a risk: are businesses going through the right due diligence, sign-off, and review processes around their cyber security policies that they were pre-COVID?
It’s possible that security audits have become more difficult during the pandemic, with less third-party assurance work undertaken.
Regular reviews of cyber security should not become a casualty of the recent business disruption. Freely available tools like Hiscox’s Cyber Maturity Model can help organisations review their effectiveness at achieving cyber security; highlighting areas of weakness or opportunity and showing where good practice is truly embedded.
Interestingly, while three quarters of firms agree that overall cyber security – in areas like audit but also covering other critical requirements like technology and employee training – is a top priority for the board, only 66% of businesses say that spending on cyber security will increase – a drop from 74% the previous year.
The economic downturn may be a factor in forcing businesses to rein in security spending; another consequence of the pandemic which 58% of firms say has increased their vulnerability to cyber-attacks. Remote working is commonly reported as one reason threat actors are able to attack an increasing number of targets working from home. But with 33% of firms also accelerating their digital transformation plans and 36% growth in the adoption of cloud-based technologies, there are likely to be more opportunities for threat actors to find points of vulnerability.
But with 33% of firms also accelerating their digital transformation plans and 36% growth in the adoption of cloud-based technologies, there are likely to be more opportunities for threat actors to find points of vulnerability.
The emphasis for large businesses, as they look to realign their business models to a post-pandemic future, must be on ensuring their approach to cyber security also realigns to the new cyber risks and vulnerabilities that have surfaced over the last 12 months.