Majority of large, enterprise businesses fail to prioritise cyber threat
If there’s one thing that can be relied on to appear as regular headline news, it’s another big business falling victim to a cyber-attack. Most recently, IAG-owned airline British Airways is facing a record fine from the Information Commissioner’s Office (ICO) of £183m for a “sophisticated, malicious criminal attack” that took place last year on its website, which resulted in the details of around 500,000 customers being harvested by attackers.
Costs are spiralling
For large, enterprise businesses, the costs of dealing with cyber-attacks like these have spiralled. Our most recent figures from the Hiscox Cyber Readiness Report 2019 reveal that big business reported the average cost of their single largest cyber incident was USD$340,000 – a significant hike from USD$105,000 in the previous year. Matt Webb, Cyber Line Underwriter, comments on the sharp rise “Standing still by merely maintaining cyber security systems isn’t an effective form of defence. The cyber threat is intelligent and doggedly proactive in finding new methods of attack, so we cannot be complacent in staying one step ahead.”
Big business reported the average cost of their single largest cyber incident was USD$340,000 – a significant hike from USD$105,000 in the previous year.
And how are those attacks presenting themselves?
It’s not surprising to see that virus/worm infestation ranks as the most common type of cyber-attack (reported by 29% of those businesses who had suffered a cyber incident), with the next most common being ransomware (24%), and distributed denial of service (DDOS) also prominent at 23%. The worm/virus attack had waned a little but made a big comeback in 2017 with WannaCry and Not Petya.
A sharp rise in cyber novices
Despite the pervasive nature and growing financial and reputational impact of the cyber threat, the Hiscox cyber report – which looked at the cyber preparedness of more than 1500 large organisations (those above 1,000 employees) across the UK, Europe and the US – reveals that nearly three quarters (73%) are classed as cyber novices; a statistic that raises questions over the level of preparedness that many large businesses have when it comes to dealing with the cyber threat. More concerning is that the 2019 figures indicated a sharp rise from the previous year’s study which identified that 61% of large firms were cyber novices.
Nearly three quarters [of large organisations] (73%) are classed as cyber novices; a statistic that raises questions over the level of preparedness that many large businesses have when it comes to dealing with the cyber threat.
Our readiness model looks at businesses’ cyber preparedness by examining a range of factors in four areas around their approach to the cyber risk; strategy, oversight and resourcing, technology, and process. Respondents are asked a series of questions and invited to tell us how closely their way of doing things aligns with a well-structured, rigorous, and effective cyber security approach. Their results enable us to classify whether they rate as ‘cyber novices’, ‘cyber intermediates’ or ‘cyber experts’.
Further analysis of the figures shows that there has been a dramatic decline in the number of large firms in both the USA and Germany that qualify for expert cyber status in 2019. In Germany, the proportion is down from 20% to 14%; while in the USA it is down from 26% to 11%. Overall, the number of large companies ranked as experts when it comes to managing the cyber risk has fallen from 21% to 12%.
Money is being spent but…
While it might be assumed that big business will have the resources to effectively deal with the cyber threat, our latest figures show a drop off in the ability to apply best practice to the cyber threat. There is no doubt that money is being spent with more large businesses (75%) intending to increase spending on cyber security, but is it being spent in the right areas?
Just as critical is the investment in the cyber security culture of the organisation which places a focus on areas like the development of appropriate employee training, policies, procedures, and planning.
Less than half (48%) of those big businesses surveyed intend to increase spending on cyber security employee training and awareness. It’s an indicator that while the technology is important, it’s not a solution in itself. In a recent article ‘all the gear and no idea’, we explored how organisations can heavily invest in high-tech security but still suffer cyber-attacks due to set-up blunders. Just as critical is the investment in the cyber security culture of the organisation which places a focus on areas like the development of appropriate employee training, policies, procedures, and planning.
Don’t forget to build the human firewall
Incorporating a high standard of cyber security awareness and training throughout the organisation is a key indicator of a cyber expert and a reminder that while getting the technology right is an important factor, many cyber-attacks are successful because they took advantage of employee vulnerability. The human firewall continues to be as central to a business’s cyber security strategy as their technological firewall.