How a Business Can Move from Novice to Expert in Cyber Defense Best Practices
Sixty-one percent of firms surveyed for insurer Hiscox had a cyber attack in the past year, compared to 45% in 2018. Meanwhile, the median cost for cyber incidents losses soared from $229,000 to $369,000.
While those numbers are of concern, of even more concern is the finding by Hiscox of how many firms are ill-prepared to handle the rising number of cyber incidents.
The Hiscox Cyber Readiness Report 2019 gauges how prepared businesses are to combat cyber attacks. For the report, Hiscox assessed firms’ readiness after surveying nearly 5,400 professionals from the U.S., UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cybersecurity. Thirty-nine percent of respondents were from organizations with fewer than 50 employees (small firms), 16% from medium-sized firms employing 50-249 people, 16% from large firms employing 250-999 personnel and the remaining 28% from enterprises with 1,000 or more employees.
To determine the respondents’ preparedness to handle cyber attacks, Hiscox evaluated the firms’ strategy (oversight and resourcing) and execution (technology and process) and ranked them as a cyber novice, cyber intermediate or cyber expert.
Among the findings: 59% of cyber experts globally currently have cyber insurance, compared to only 37% of cyber novices.
In the U.S. alone, fewer large companies are cyber experts. While they have the resources to be prepared, only 11% of large and enterprise firms ranked as cyber experts, compared to 26% of large and enterprise firms last year, according to Hiscox. Twenty-seven percent of U.S. respondents have no plans to purchase cyber insurance.
The study identified cyber expert best practices that cyber novices lack. These include:
- Securing executive buy-in: Only 54% of cyber novices globally believe cybersecurity is a top priority for their firm’s executive management/board as compared to 85% percent of cyber experts.
- Creating a well-defined strategy with input from multiple stakeholders and determining a formal and adequate cyber budget: On average, cyber experts globally devote 14.7% of their IT budget to cybersecurity, but cyber novices’ cybersecurity spending accounts for just 8.7% of their overall IT budget.
- Dedicating a cyber head tasked with overseeing the strategy, supported by a team if necessary: Globally, 51% of ‘cyber experts’ have a dedicated leader who oversees cybersecurity, compared to just 39% of cyber novices.
- Regularly evaluating the supply chain: Only 18% of cyber novices strongly feel that they have good visibility into their suppliers’ security arrangements, compared to 34% of cyber experts globally.
- Defining a process that spans from when a cyber incident is detected to when it has been mitigated, and making sure employees are ready to learn, respond and make changes to this process if an incident occurs: Eighty-five percent of all cyber experts have a clearly defined cybersecurity strategy, compared to just 53% of cyber novices.
- Conducting proactive testing through simulated attacks and regular phishing experiments: Forty-one percent of cyber novices globally have conducted phishing experiments to understand employee behavior and readiness for attacks, compared to 69% of cyber experts.
- Insuring the business with a cyber policy: Globally, 59% of cyber experts currently have already adopted cyber insurance, compared to only 37% of cyber novices.
Even though many firms are falling short in their cyber defense, there has been some progress.
“The message that cyber risk is a real threat to businesses of all sizes is sinking in. Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defense,” said Meghan Hannes, Cyber Product Head for Hiscox in the U.S.
Hannes said many businesses believe that increasing cyber-related spending fully protects a business, but it takes more than that. “Businesses must take a holistic approach, ensuring they can properly maximize their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defense,” she said.
Some findings specific to the more than 1,000 U.S. companies surveyed include:
- Leaky bucket budgets: Seventy-two percent of firms plan to increase spending on cyber security in the coming year. However, increased spend without proper infrastructure and training is the equivalent of pouring water into a leaky bucket, according to Hiscox. Only 11% of respondents cited increased spending on employee training and culture changes as a result of a cyber security incident, both of which are crucial components of a company’s defense against cyber risks.
- Attacks are on the rise: Fifty-three percent of respondents reported an attack in the past 12 months, compared to 38% last year. Hiscox says many companies do not take proper action following an attack, with 45% of companies reporting experiencing three or more attacks in the past year. Cyber incidents come with a large price tag. The mean cost of cyber incidents in the US was $119,000.
- Fewer large companies are cyber experts: While it would seem they have the resources to be prepared, only 11% of large and enterprise firms ranked as ‘cyber experts,’ compared to 26% of large and enterprise firms last year.
- Unexpected risks in the supply chain: Fifty-six percent of firms experienced cyber-related issues in their supply chain in the past year. However, only 7% of respondents cited increased evaluation of the supply chain as a result of a cyber security incident occurring in the past 12 months.
- Lack of insurance heightens the stakes: Twenty-seven percent of respondents have no plans to purchase cyber insurance, and 5% are unsure of what cyber insurance is.