How prepared would your business be for an attack from cyber criminals, and how quickly could you get back to normal?
More than half of businesses (57 per cent) have experienced a cyber attack in the past year, with 42 per cent reporting repeated attacks. It is clear that businesses can no longer afford to be complacent about cyber criminals, but how many are left undefended
For its Cyber Readiness Report 2017, insurance company Hiscox surveyed more than 3,000 executives, managers and IT specialists in charge of cyber security within their companies across Germany, the UK and the US to provide an overview of the threat landscape.
The threat landscape
The cyber threat landscape in the US was particularly shocking, with 63 per cent of firms experiencing a cyber incident in the past year, while 47 per cent of all US firms experienced two or more. In Germany the incidence rate is around 56 per cent, and in the UK around 45 per cent.
The cost of the largest breach ranged from £22,000 for small German firms to $102,000 for large US firms. However, although more money could be stolen in an attack on a larger firm, the financial impact of a damage from cyber criminals is disproportionately high for a small business. In other words, the cost per employee is higher for smaller firms than large businesses.
Despite the fact this, 29 per cent of small business survey respondents said they changed nothing following an incident.
The gap between small and large businesses in terms of cyber readiness is fairly large while 62 per cent of large firms practise crisis communications responses as a critical or high priority, only 47 per cent of small businesses do the same.
How likely is a breach from cyber criminals?
The report found that, with the ever-increasing rate of cyber attacks around the world, a business owner would be wise to consider ?when” there will be an incident, not if .
Overall, 63 per cent of businesses in the US have experienced an incident in the past year, compared to 56 per cent in Germany. The UK is the least likely to experience an attack, with 45 per cent claiming there have been no incidents in that time.
Despite the UK being marginally safer, businesses should be careful about getting complacent the risk of not preparing for an attack could be disastrous. Survey respondents were asked to estimate the average costs of a cyber attack, and the results demonstrated a wide range from under £1,000 to over £500,000 per incident.
There can additional costs of a cyber attack. The cost is not limited to the money pilfered in the incident, but can include the costs of lasting reputational damage. Of the firms that suffered an attack in the last year, one-in-ten admitted having lost clients or had difficulty finding new ones as a result.
It can also take a while to get a business up and running again following an attack, with 46 per cent of businesses taking two or more days to get back on track.
How prepared are you?
When it comes to being prepared, the changing and evolving nature of threats was top of the list of challenges (it was considered either a challenge or a major challenge by 70 per cent of respondents).
Cyber preparedness is creeping up the priority list for many businesses, with the majority (59 per cent) claiming security budgets will be increased over the next year by five per cent or more.
New technology is top of the purchasing list, but many also intend to up employee awareness training budget, and nearly half of firms intend to increase their spending on cyber security staffing by at least five per cent in the next year. This makes sense given that many breaches happen as a result of activity or negligence of people within organisations.
Dealing with an attack from cyber criminals
Unfortunately, no matter how prepared a business is for a cyber attack, it can never be 100 per cent protected. This is reflected in the growing demand for cyber insurance; 40 per cent already have cyber insurance, and 46 per cent of the remainder intend to take it out over the next year.
Larger firms are more likely to be insured than smaller firms (48 per cent compared to 37 per cent) despite the discrepancy with cyber attacks being disproportionately damaging to a small business.
Of those which have decided against taking out cyber insurance, 41 per cent claimed it would have no relevance for the business. This highlights the need for ongoing education on the subject.
Hiscox concluded that education is still a big challenge for the insurance industry in terms of understanding the cyber risk and how insurance can help to mitigate the risk.
Given it is commonly understood that cyber insurance policies are complicated, the firm said, the industry must put more effort into making sure the cover is easier to understand.
Steve Langan, chief executive at Hiscox Insurance, said: By surveying those directly involved in the business battle against cyber crime, this study provides new perspective on the challenges they face and the steps they are taking to protect themselves.
But it also offers a series of practical recommendations for those businesses that still have work to do in tackling cyber risk. We hope it will contribute to a better understanding of what is needed to be fully cyber ready.
If you’re concerned about the readiness of your business when it comes to attacks from cyber criminals, make sure you don’t miss our upcoming SME Cyber Security event on 21 June. Find out more by visiting the event website.