A recently published cyber security survey of over 4,100 professionals reveals some startling facts about how business is tackling the threat posed by cyber crime…
About the report:
The Hiscox Cyber Readiness Report is compiled from a survey of more than 4,100 executives, departmental heads, IT managers and other key professionals in the UK, US, Germany, Spain and The Netherlands. Drawn from a representative sample of organisations by size and sector, these are the people on the front line of the business battle against cyber crime. The report not only provides an up-to-the-minute picture of the cyber readiness of organisations large and small, it also offers a blueprint for best practice in the fight to counter an ever-evolving threat.
What the cyber security survey revealed…
45% of respondents say they suffered a cyber-attack in the past year
7% lost customers as the result of a cyber attack
For a small number of those hit by a breach, the impact went beyond the immediate cost in pounds and pence, and 7% of respondents said they had lost customers as a result of a cyber attack with 5% saying they had found it more difficult to attract new ones. A similar number said they had lost business partners. In 6% of cases the organisation had laid off employees. Most difficult to quantify is the long-term impact on an organisation’s reputation and standing. Some 5% of those hit by a cyber attack in the past year said the bad publicity had damaged the brand.
The average cost of a cyber incident for UK SMEs is £24,000
Cyber crime is costly for the victims. We asked those organisations that had suffered an attack (1,853 out of the 4,100 survey sample) to estimate the financial cost of all the cyber security incidents they had experienced in the past 12 months. Based on the current exchange rate it works out to an average of just over £24,000 for UK SMEs. Nearly a third of them replied ‘don’t know’. The average among the remainder was £170,000.
Cost of all cyber security incidents
Average estimated cost of all an organisation's incidents in the past 12 months
||249 of fewer employees
||250 or more employees
||1,000 or more employees
87% of UK businesses don’t comply with best practice
More than half of the organisations in this survey (57%) claim to be ‘very confident’ in their cyber security readiness. The reality is somewhat different. Hiscox posed a series of questions to discover the degree to which respondents’ answers showed alignment with best practice.
The key message is that nearly three quarters (73%) of UK respondents rank as cyber novices, while just 13% rank as cyber experts. In other words, 87% don’t comply with best practice.
Only 20% of UK SMEs have a cyber insurance policy
Some 46% of respondents said, ‘cyber insurance is not relevant for me’ while 27% think it is ‘too expensive’. Nearly one in five (19%) said cyber policies are ‘so complicated, I don’t understand what the insurance would cover me for’. The results suggest the insurance industry still has some work to do. Interestingly, C-level executives appear more resistant to the idea of cyber insurance than those they manage. Only 28% say they have taken out cyber cover and 44% say they have no plans to do so.
Only 20% of UK SMEs said they have a cyber insurance policy, compared to 58% for large organisations.
64% believe that business insurance will also cover a data breach
A large numbers of respondents believe their general business insurance policy covers them for various cyber incidents when they either won’t be covered, or the scope of that coverage will be very limited. For example, nearly two-thirds (64%) of all respondents think it covers them in whole or in part for a data breach resulting in loss of customer data and 57% think it covers them for DDOS (distributed denial of service), where a service has either been interrupted or a website has been taken down for any period of time.
34% cite additional expertise as a reason for taking out cyber insurance cover
Nearly half (49%) of those with cover or planning to take out cover say they either use or are planning to use the insurer’s employee training. Nearly half (47%) will turn to their insurer for risk assessments. The ability to get consultative advice is also mentioned by 37% of respondents.
Among those already covered or planning to take out cover, the top two reasons for doing so are the cost of a potential breach/the desire for peace of mind and the fact that cyber insurance policies offer ‘additional expertise that I do not have’. More than a third (34%) cite the attraction of additional expertise as a reason for taking out cover.
Cyber security for SMEs - Three Key Takeaways
- For smaller firms that lack the expertise for managing or fixing a breach, outsourcing can be an alternative approach. Even bigger organisations often lack the ability to field an instant response team around the clock. Outsourcing firms can add an extra layer of expertise in handling breaches, however, they are at best a delegation of responsibility, not a complete abdication of cyber security
- Spending on technology is often the easy part. To be effective, you have to move on all fronts together. That means people, processes and technology. Simply spending on technology is not enough without a fully structured, rigorous set of processes combined with people who are fully aware of the issues. It is especially disappointing that so few people appear to simulate a cyber attack and practise what to do when their systems go down.
- What keeps business people awake at night? The answer is the double risks of cyber attack and fraud. Increasingly, the two are linked as fraud moves online. We asked our survey group of more than 4,100 managers and senior executives in five countries to rate their concern over different types of risk and the potential impact they could have on the organisation in the coming year. Two-thirds (66%) put the cyber threat on a par with fraud, at the top of the list.
The Expert View…
Gareth Wharton, CEO, Hiscox
“If anyone still harboured doubts about the severity of the threat, the events of the past year should have dispelled them. From the WannaCry ransomware attack to the hacking of one of the world’s largest credit agencies, 2017 produced numerous reminders that operating in a connected world has fearsome perils. The cost of these attacks has undoubtedly run into the billions.
“It is an old adage that you should hope for the best but plan for the worst. That is certainly true when it comes to battling cyber crime. In today’s world, there is no alternative to investing in sophisticated prevention and detection systems and supporting them with the people and processes that will make them effective. This study not only reinforces that message but it provides a detailed picture of what cyber readiness really looks like.”
IoD members benefit from a 5% discount on Hiscox Business Insurance including Cyber and Data Risks Insurance.
Find out more
0800 2800 354
Read the full Hiscox Cyber Readiness Report 2018