The number of UK firms reporting a cyber-attack has increased, though most businesses admit they are ill-prepared for a breach, according to research from Hiscox (LSE: HSX), an insurance provider and underwriter at Lloyd’s of London.
A week hardly passes without news of a major cyber incident, and there have been great adverse effects associated with most of them. There is rampant data theft; ransom demands are steadily rising; as is the heightened hostile cyberspace within which businesses must operate. The cyber-threat is unavoidable in today’s business world.
Hiscox surveyed approximately 5,400 small, medium and large businesses across the UK, Belgium, Germany, France, Spain, the Netherlands and the United States. The insurer found that there was a “sharp increase” in data theft, fraud, sabotage, and extortion, increasing both the cost and frequency of cyber-attacks, in one year alone. According to the Cyber Readiness Report 2019, more than 60% of firms reporting one or more attacks, up from 45% in 2018.
No One Is Immune
Fifty-five percent of UK firms faced down an attack in 2019, up from 40% last year. Despite this, three quarters of firms were still “novices” in cyber-readiness. The report highlights that many businesses “incorrectly felt that they weren’t at risk”. Yet, in each of the 15 sectors tracked, the number of firms reporting one or more attacks showed a sharp rise.
The most heavily targeted sector was the Technology, Media and Telecom (TMT) space. In all seven countries, there was a rise of 21% over the year, with 72% of respondents reporting at least one attack. In second place came the public sector, which saw a 16% increase (71% reporting an attack), followed by financial services (67% up from 57%).
Losses from breaches averaged between $229,000 (£176,000) and $369,000 (£283,000), an increase of 61%.
UK Businesses Are Less Prepared
The insurer said the percentage of firms scoring well on cyber-security ratings was on the decline, particularly in UK organisations.
Firms in Britain had the lowest budget for cyber-security, spending an average of just $900,000, in contrast to $1.46 million across the other six countries. They were also as likely as a U.S. firm to have a “defined role for cyber-security” in their organization. In France, the proportion of firms prepared to deal with cyber-crime was much lower, just one in ten.
Gareth Wharton, Cyber-CEO at Hiscox, says the low UK spending might be attributable to the large number of small businesses in Britain. “They may feel like they won’t be targeted, as we tend to only read about large breaches in the press,” he continues. “If they incorrectly feel that they won’t be targeted, they may be less likely to spend on cyber-security.”
But Hiscox also discovered that the average cost of an attack in the UK was substantially less (an average of $243,000) than an attack in Germany ($906,000) and in Belgium ($486,000).
More Firms Now Appoint A CISO And Increase Their Efforts
Among the full sample, the fraction of businesses with ‘no defined role for cyber-security’ has been cut in half (from 32% to 16%). Not all of the rest have their own cyber-security lead or a dedicated cyber team; 19% use a third-party provider to oversee their cyber-security. But three-quarters of small companies have at least one person or an external supplier managing cyber-threats (up from 56% a year ago). They are still a long way behind larger enterprises, the vast majority (95%) of which have a defined cyber-security role, but it is still indicates that things are moving in the right direction.
Roughly two-thirds of respondents (67%) report their cyber-security spend will rise in 2019, up from 59% a year ago. While more money directed toward technology remains a goal for half of the survey respondents, the numbers of those planning to direct more monies to employee training, cyber-security staffing and consultants or third-party services are markedly higher. In other words, more attention is being paid to people and processes – which is positive, too.
The cyber-risk may evolve rapidly, but the battle to mitigate and manage it is also changing. The old adage ‘prevention is better than cure’ pop to mind – and indeed, being cognizant of the threats is half the battle. New laws have also spurred action, with 80 percent of UK firms saying that they implemented changes after tough new EU data protection (GDPR) rules came into force last year.