What to Know About Cyber Defense Best Practices
Sixty-one percent of firms surveyed for insurer Hiscox had a cyber attack in the past year, compared to 45% in 2018. Meanwhile, the median cost for cyber incidents losses soared from $229,000 to $369,000.
While those numbers are of concern, of even more concern is the finding of how many firms are ill-prepared to handle the rising number of cyber incidents, according to the Hiscox Cyber Readiness Report 2019, which gauges how prepared businesses are to combat cyber attacks.
For the report, Hiscox surveyed nearly 5,400 professionals from the U.S., UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cybersecurity. Thirty-nine percent of respondents were from organizations with fewer than 50 employees, 16% from firms employing 50-249 people, 16% from firms employing 250-999 personnel and the remaining 28% from enterprises with 1,000 or more employees.
To determine the respondents’ preparedness to handle cyber attacks, Hiscox evaluated the firms’ strategy (oversight and resourcing) and execution (technology and process) and ranked them as a cyber novice, cyber intermediate or cyber expert.
Among the findings: 59% of cyber experts globally currently have cyber insurance, compared to only 37% of cyber novices.
In the U.S. , only 11% of large and enterprise firms ranked as cyber experts, compared to 26% of large and enterprise firms last year, according to Hiscox. Twenty-seven percent of U.S. respondents have no plans to purchase cyber insurance.
The study identified cyber expert best practices that cyber novices lack. These include:
- Securing executive buy-in: Only 54% of cyber novices globally believe cybersecurity is a top priority for their firm’s executive management/board as compared to 85% percent of cyber experts.
- Creating a well-defined strategy with input from multiple stakeholders and determining a formal and adequate cyber budget: On average, cyber experts globally devote 14.7% of their IT budget to cybersecurity, but cyber novices’ spend just 8.7% of their overall IT budget on cybersecurity.
- Dedicating a cyber head tasked with overseeing the strategy, supported by a team if necessary: Globally, 51% of ‘cyber experts’ have a dedicated leader who oversees cybersecurity, compared to just 39% of cyber novices.
- Regularly evaluating the supply chain: Only 18% of cyber novices strongly feel that they have good visibility into their suppliers’ security arrangements, compared to 34% of cyber experts globally.
- Defining a process that spans from when a cyber incident is detected to when it has been mitigated, and making sure employees are ready to learn, respond and make changes if an incident occurs: 85% of cyber experts have a clearly defined security strategy, compared to just 53% of cyber novices.
- Conducting proactive testing through simulated attacks and regular phishing experiments: 41% of cyber novices globally have conducted phishing experiments to understand employee behavior and readiness for attacks, compared to 69% of cyber experts.
- Insuring the business with a cyber policy: Globally, 59% of cyber experts have adopted cyber insurance, compared to only 37% of cyber novices.
Even though many firms are falling short, there has been some progress. “The message that cyber risk is a real threat to businesses of all sizes is sinking in. Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defense,” said Meghan Hannes, Cyber Product head for Hiscox in the U.S.
Hannes said many businesses believe that increasing cyber-related spending fully protects a business, but it takes more than that. “Businesses must take a holistic approach, ensuring they can properly maximize their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defense,” she said.
Some findings specific to the more than 1,000 U.S. firms surveyed include:
- Leaky bucket budgets: 72% of firms plan to increase spending on cyber security in the coming year. However, increased spend without proper infrastructure and training is the equivalent of pouring water into a leaky bucket, according to Hiscox. Only 11% of respondents cited increased spending on employee training and culture changes as a result of a cyber security incident.
- Attacks are on the rise: 53% of respondents reported an attack in the past 12 months, compared to 38% last year; 45% of companies reporting experiencing three or more attacks in the past year.
- Unexpected risks in the supply chain: 56% of firms experienced cyber-related supply chain issues in the past year. However, only 7% cited increased evaluation of the supply chain as a result of a cyber security incident.