Cyber Crime Preparedness Lacking
February 07, 2017
The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the US, UK and Germany and found that more than half (53%) of businesses are ill-prepared to deal with cyber-attacks.
The study assessed firms according to their cyber readiness in four key areas -- strategy, resourcing, technology and process -- and ranked them from novice to expert. Fewer than a third (30%) qualified as 'expert' in their overall cyber readiness, of which nearly half (49%) were US-based companies.
Among the key findings, the study reveals significant cyber security shortcomings among the more than 1,000 companies surveyed in the US.
•Cyber security budgets increasing - Seventy-two percent of large US businesses (250 or more employees) and 60% of small companies (fewer than 250 employees) experienced at least one cyber-attack in the past year. The frequency of these attacks is driving cyber security spending, which is expected to increase for 63% of US businesses.
•Cyber detection is a challenge - Nearly half (44%) of all US companies surveyed reported taking two days or more to discover a cyber security incident, and more than half (54%) reported taking two days or more to return to 'business as usual' after their largest breach. That said, the time taken to complete an investigation and remedial work could take even longer.
•Employee training works - For 77% of US companies, employee training has significantly reduced the number of cyber hacks and incidents. Seventy-one percent of US companies reported conducting cyber security exercises, such as phishing experiments, to understand employee behavior and readiness for an attack.
•Small businesses struggle to keep up - While large companies incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for small businesses with fewer than 250 employees. The average cost of the largest cyber security incident experienced in the past 12 months for these small businesses was $41,000. Surprisingly, one-in-five (19%) small businesses say they have changed nothing following a cyber-security incident.
•Momentum builds behind cyber insurance - Across all geographies
surveyed, 40% of businesses say they have cyber insurance
coverage. Fifty-five percent of US businesses reported having
cyber coverage, the highest of any country surveyed. These
overall higher than expected take-up figures may also reflect
confusion over what exactly constitutes cyber insurance coverage
with some companies believing they are protected under their
existing insurance coverage.
•Involving top management in the cyber security discussions. Nine out of ten experts (91%) say cyber security is a top priority at the board and C-level. Only 62% of novices say the same.
•Formalizing a cyber security strategy. Nine out of ten experts (92%) have a budgeting process that is integrated into all security projects and activities vs. only 40% of novices.
•Documenting the firm's processes. An overwhelming majority of experts (96%) say their business has cyber security guidelines for employees, partners and external users, but only 42% of novices are as well organized.
•Tightening up technology. The gaps between novices and experts are generally less noticeable in technology deployment. Where the novices need to improve is in internal and external message encryption and the integration of strong authentication throughout their businesses.
•Investing in cyber insurance. Nearly two-thirds of experts
(64%) have cyber insurance. This compares with just 28% of