Article by Lucy Ingham – Verdict
23 April 2019
An exhaustive report of the state of cybersecurity among businesses has found that the number of companies reporting cyberattacks grew dramatically compared to the previous year – yet cyber-readiness has actually decreased over the same period.
The Hiscox Cyber Readiness Report 2019, which covers businesses in the US, the UK, Spain, France, Germany, Belgium and The Netherlands, found that 61% of companies reported an attack in 2018, up from 45% in the previous year.
Meanwhile, when it comes to preparedness for cyberattacks – known as cyber-readiness – the number of companies ranking themselves as ‘experts’ has dropped from 11% to 10%, while 74% regard themselves as ‘novices’.
Arguably most concerning, however, is the costs involved. The mean figure in 2017 for losses associated with cybersecurity incidents was $229,000, but in 2018 this climbed 61% to $369,000. And this is buoyed by a surge in the cost of individual incidents – in 2017 the mean cost of the biggest single incident was just $34,000, but now a year later it is just under $200,000.
For large companies, the numbers are far worse, with mean costs for the biggest single incident rising 18-fold to $395,000.
Business cyberattacks are on the rise – but cybersecurity experts are not surprised
The cybersecurity industry has for the most part expressed a total lack of surprise about the results of the report, with Malcolm Taylor, Director Cyber Advisory at ITC Secure, saying that “they reflect the fact that the cyber threat is universal”.
“Three years ago, typical clients for the security industry were in the financial services or technology sectors – because these sectors knew they had an issue with cyberattackers but other sectors did not. That is changing,” he said.
“Now, stories about cybersecurity have moved from specialist websites to the mainstream media and as a result, companies in other sectors are beginning to understand that they, too, are as likely as anyone else to be targeted.
“That was always the case, but they didn’t know it. Now they do, and they are just beginning to take steps to defend themselves.”
The value of data
The problem is, according to Taylor, compounded by the increased financial lure that such attacks hold, particularly given that the majority a criminal in nature.
“The attackers just want to steal money or something of value to sell or use for blackmail. In our increasingly networked world, everything has a value,” he explained.
“For example, a LinkedIn account with credentials sells online for about a dollar – harvest enough and the attacker has a good financial return. In other words, we all have a value.
“So, attacks are typically not targeted, but random and broadcast and so everyone is vulnerable; whoever you are, you should think about your exposure and decide if you can live with that or whether you should take steps to minimise your risk. It is a little bit like burglary; get yourself good locks and an alarm – or don’t.”
Connected to this is a perception that companies have about the value of their own digital assets to would-be attackers – many still believe they have nothing worth stealing.
“Many people still think they have nothing worth stealing and haven’t recognised that they represent a return on investment for the attackers,” he added.
“It is also in part because of the way the threat has to date been presented; that is, extremely serious (even existential) and frightening, impossible to defend against, and exceptionally technical and complex, and also extremely expensive. None of these things are right. The threat is real, and the damage can be significant.”
Under pressure: How can businesses adequately respond?
While it would be easy to use the report as evidence that businesses are simply not trying when it comes to cybersecurity, the reality is more complex.
“The report is right to spotlight just how under pressure businesses are to keep pace, both with hackers and with regulatory scrutiny. If an organisation doesn’t have strong preventative measures in place, it risks causing serious damage to its bottom line – even when it’s insured against cyberattacks,” commented Marina Kidron, Director of Threat Intelligence at Skybox Security.
“But being able to build a proactive cybersecurity strategy is easier said than done. Put bluntly, the cybersecurity skills crisis has put many businesses in a tight bind.
“There aren’t enough skilled professionals to call upon, which means that any and all existing resource is being stretched. This is creating a culture of ‘fire-fighting’ by necessity, with security teams digging themselves into a hole that’s difficult to find a way out of.”
“There is a skills shortage and salaries are high,” said Taylor.
“Most mid-tier companies do not want to, or indeed need to, employ full time cybersecurity staff; outsourcing is normal and actually more cost-effective. For example, a CISO can attract a salary of £200k, but it is possible to hire a CISO-as-a-Service at less than that.”
Whatever companies do, however, it is essential they take action in response to the findings – no matter what their size or industry.
“Companies need to do more, and they need to do more consistently. Cybersecurity is a process, not a onetime fix,” said Taylor.
“Understand your threat, assess it from a business perspective, and take the right steps. Risk management, in other words. The worst thing anyone can do is ignore it – because it isn’t going away.”