Cyber security: big businesses up their game
New Hiscox research finds a step-change in cyber preparedness for large and enterprise firms, but there is still progress to be made says Matthew Webb, Cyber Line Underwriter at Hiscox London Market.
The proportion of large and enterprise businesses qualified as ‘cyber experts’ has more than doubled this year – from 12% to 29% – according to the Hiscox Cyber Readiness Report 2020. The report – which looked at the cyber preparedness of more than 1,000 large and enterprise organisations (those with 1000-plus employees) across the UK, Europe and the US – found the US to have the highest proportion (39%) of cyber experts, while the Netherlands ranks lowest with only 20% earning cyber expert status.
While the overall story is one of positive progress, concerns remain that just over half (51%) of big businesses still classify as cyber novices and continue to fall short in their approach to cyber security. The same number (51%) have also experienced at least one cyber incident or breach in the past 12 months, with the median cost of all incidents and breaches at US$504,000.
The proportion of large and enterprise businesses qualified as ‘cyber experts’ has more than doubled this year – from 12% to 29% – according to the Hiscox Cyber Readiness Report 2020.
Despite these figures, there are signs of a new urgency amongst large businesses to confront the cyber challenge. Twice as many firms now report responding to a breach or incident by taking extra measures such as the evaluation of security and privacy, and the addition of new security or audit requirements.
Cyber security spending on the rise
Size matters in cyber readiness. One reason for the overall increase in cyber experts is likely to be a consequence of the 5% uplift in cyber security spending registered by large firms. These firms spent an average of $8 million on cyber security in the past year and the large majority (74%) plan to continue increasing their overall spend in the coming year. Even though this research was undertaken prior to the COVID-19 crisis, businesses are still saying that they will look to make cost savings elsewhere while preserving their cyber security budgets.
Even though this research was undertaken prior to the COVID-19 crisis, businesses are still saying that they will look to make cost savings elsewhere while preserving their cyber security budgets.
Where’s the cyber money going? Despite 70% being confident that their IT technology protects them from a cyber incident, 53% of large businesses plan to invest in the latest cyber security technology. However, less than half (48%) say that their spending on employee training is due to increase. Should this be a concern given human failure is often the Achilles heel of even the best protected organisations? The human firewall is a critical component of every organisation’s cyber security posture, so any failure to maintain training is an area to watch.
Data first, ransom second
Looking at the prevalence of ransomware in the top three reasons for cyber breaches, technology is a good area for investment in endpoint protection, for example, to stop ransomware at source, or by investing in more sophisticated back-ups. Two types of ransomware attacks commonly seen are targeted attacks, where hackers attack individuals with highly personalised phishing scams; and, mass scanning where hackers will look for key weaknesses in servers exposed on the internet and infect any company they find vulnerable. Once in, ransomware gangs have also adapted their methods to first steal company data before detonating their ransomware to add yet more pressure on their victims to pay the ransom.
Adopt a well-rounded approach
These evolving ransomware tactics highlight the need for businesses to make sure they continue to adopt a well-rounded holistic approach to cyber security by building up the human firewall as well as implementing appropriate security technology.
Get it wrong and businesses are increasingly conscious of the damage that can be inflicted beyond the immediate operational issues. Nearly three quarters (73%) of large organisations agree that they will harm their brand if they do not handle client partner data securely. This threat will continue to grow, particularly as the use of biometric data opens new and profitable attack fronts for hackers.
Nearly three quarters (73%) of large organisations agree that they will harm their brand if they do not handle client partner data securely.
One valuable method of protecting brand involves the use of insurance. This year, over half (52%) said that they have already invested or plan to invest in a dedicated cyber insurance policy. One of the key reasons mentioned for purchase was the access that such policies provide to additional expertise in areas like crisis management, legal and IT forensics.
Double down on the threat
The additional protection and risk mitigation that a robust insurance policy can provide will become particularly valuable over the coming months with the cyber impact of the COVID-19 pandemic already revealing itself through an uptick of hacker activity. As criminals look for new vulnerabilities due to increased remote working and management resources directed elsewhere, it’s clear that large and enterprise businesses must double down on the cyber threat and continue to raise the overall cyber readiness of their organisation.
For more information, download the latest Hiscox Cyber Readiness Report 2020.
This research took place prior to the coronavirus pandemic.