Business Cyber Losses Soar but Firms Fight Back with Extra Security Spending: Study
Cyber losses among businesses have risen nearly six-fold during the past year, from a median cost of $10,000 per firm to $57,000, according to an international survey commissioned by insurer Hiscox.
Total cyber losses among the study group rose from $1.2 billion to nearly $1.8 billion during the same period, said the study, titled “Hiscox Cyber Readiness Report 2020.”
The highest recorded total loss for any one company over the duration of the year was $87.9 million (a UK financial services firm) while the highest loss from any one event was $15.8 million (a UK professional services firm).
The most heavily targeted sectors were financial services, manufacturing and technology, media and telecoms (TMT), which Irish firms suffered the highest median costs, at more than $103,000.
The one bit of good news cited by the study is that the proportion of firms reporting a cyber security event in the past 12 months is down from 61% to 39%.
The report explained that the numbers were strongly influenced by a relatively small contingent of firms that reported 500 or more events.
The biggest companies were more likely to be targeted than smaller companies, the report confirmed. “More than half of all enterprise firms (51%) – those with 1,000-plus employees – said they had at least one cyber incident,” it added. “They also reported by far the most cyber incidents (a median 100) and breaches (80).”
While these firms were almost certainly targeted, they may also be better at spotting attacks, said the study.
Further, the report noted, not all super targets are enterprise-scale businesses. “There are super targets in each of our five size brackets. A surprising number are among the smallest.”
The reason for this anomaly? The report explained that the majority of micro-firms in many sectors have nobody managing cyber security. “The smallest transport and distribution firms look particularly vulnerable with 59% saying they have no such role, either internal or external.”
In addition, the report noted that dependence on a managed service provider could backfire when the MSP is itself attacked.
Another explanation for the vulnerability of smaller companies is their lack of effective countermeasures. “Analysis of the data suggests firms with fewer than 12 computers, and where anti-virus or anti-spyware was not deployed consistently across the organization, were particularly likely to be super targets.”
The report shows a broad-based rise in cyber security spending over the past year – with an average spend among the survey respondents of $2.1 million, up from $1.5 million the previous year, which is a rise of 39%.
It reflects both an increase in overall IT budgets and a 30% jump in the proportion devoted to cyber (9.9% to 12.9%), said the report.
Hiscox said that French firms were once again the biggest spenders, lifting their cyber budgets from $2.1 million on average to $3.1 million. Spanish and U.S. firms were close behind with cyber budgets at $2.6 million and $2.4 million, respectively.
The UK, which historically has been a laggard in past Hiscox cyber studies, started to catch up, with average spend on cyber of $1.5 million compared with just under $900,000 the previous year.
Additional the key findings from the study include:
- Ransomware. More than 6% of total respondents – or one in six of those attacked – paid a ransom following a malware attack. Their combined losses came to $381 million.
- Ransomware vs. malware attacks. Whether a ransom was paid or not, the mean losses for all firms subjected to a ransomware attack were nearly twice as much as those that only had to grapple with malware on its own – $927,000 compared with $492,000. The highest losses reported by any single company targeted with ransomware – and which could include other cyber events – was $50.6 million. On the other hand, the highest losses reported by any single company targeted with malware, but no ransomware, was $10.1 million.
- Cyber readiness. The number of firms achieving “expert” status in Hiscox’s cyber readiness model increased from 10% to 18%. This follows two years while progress stalled. U.S. and Irish firms came out best with 24% ranked as experts. France was the biggest improver with 18% of firms ranked as experts, up from 6%. Overall, twice as many firms responded to a breach this year by adding new security and spending more on employee training.
- Spending buys expertise. Firms that ranked as experts in Hiscox’s cyber readiness model spent an average of $4.2 million over 12 months on cyber security. Those at the other end of the scale – the “novices” – spent an average of $1.3 million.
- Cyber insurance. The proportion of respondents saying they have purchased cyber insurance as a result of a previous cyber event has risen steadily over the past three reports – from 9% to 20%. Just over a quarter of firms (26%) said they had a standalone cyber policy while a further 18% said they planned either to purchase standalone cover or add it as coverage to their policies. Firms ranked as experts are ahead of the game with nearly half (45%) saying they had purchased a standalone cyber policy.
“Take-up of standalone cyber cover, however, remains patchy, with more than half of firms in our report relying on more general cover,” said Gareth Wharton, Cyber CEO, Hiscox, in a forward to the report. “This is a conundrum. Almost certainly, they would all have cover for fire and theft, yet the report suggests they are 15 times more likely to have a cyber incident (30% in UK) compared with a fire or theft (2% in UK).”
The report highlights the importance of changing employee behavior to build cyber security awareness.
“The proportion of respondents planning to increase spending on new cyber security technology has progressively fallen over that time from 57% in 2018 to 46% in 2020 while the number intending to invest more in employee awareness training has risen from 34% to 40%,,” said the study. “More than a third (35%) plan to increase cyber security staffing, up from 26% two years ago.”
The Hiscox Cyber Readiness Report, now in its fourth year, was conducted by Forrester Consulting, which surveyed a representative sample of 5,569 private and public sector organizations in the U.S., UK, Belgium, France, Germany, Spain, the Netherlands and Ireland. Respondents completed the online survey between December 2019 and February 2020.
Source: Hiscox