Hiscox Cyber Readiness Report: 3 Steps to business cyber security

The thought of a cyber-attack is enough to strike fear into the heart of anyone. From targeted attacks like the Equifax breach to the widespread WannaCry ransomware hack to individual spearfishing attacks, it seems no one is safe. But there are steps every business can take to minimize the impact of an attack. Here’s how to become cyber ready in three steps.

Hiscox recently released the 2018 Hiscox Cyber Readiness report, based on a survey by Forrester of 4,100 companies in the US, UK, Germany, Spain and the Netherlands. The report explores the degree to which companies are prepared to prevent or withstand a cyber-attack.

Each company surveyed was rated an expert, intermediate or novice when it came to their level of preparedness. Alarmingly, only 13% of US companies fell into the ‘expert’ category. Over two-thirds  (70%) of companies were rated as cyber novices.

What makes a cyber security expert?

In order to become an expert in cyber security, you want to do three things.

1. Prevent an attack on your organization. This means having a response plan in place and practicing what to do in the event of an attack. The entire organization should be trained on potential hacks like spearfishing, malware and password attacks. The focus on cyber awareness needs to come from the corner office, and the entire c-suite needs to be invested in the process.
    
2. Detect an attack as early as possible, if one occurs. A comprehensive training program includes teaching employees to be on the lookout for suspicious activity that would indicate an attack has occurred.
    
3. Mitigate the impact of an attack on your organization. Having a tight response plan in place will help, as will early detection. Having cyber insurance, either as a stand-alone policy or as a component of your business liability coverage, will reduce your out of pocket exposure and may provide crisis management services as part of the policy.

In order to accomplish these three steps, there are several key factors at play.

• Awareness. Everyone in the organization needs to be aware of the possibility of an attack. They need to know what they can do to prevent one, including the best practices for passwords and the warning signs of phishing.
   
• Strategy. Have a plan in place to deal with a cyber-attack as soon as it is recognized. Specific duties should be assigned to specific individuals, and everyone must know their role. Revisit the plan periodically to ensure it addresses new threats.
   
• Engagement. Involvement from the C-suite is critical. Cyber security strategy should be set with input and support from the very top of the organization. Everyone in the organization should be aware of the policy on cyber security and what their specific role is.

The true cost of an incident

Spending money on cyber security doesn’t make one an expert, although the experts do have higher spend rates than others. Cyber experts had double the IT budgets of novices ($19.8m vs. $9.9m), and spent a higher percentage of their IT budget on cyber (12.6% vs. 9.9%.) And spending is often the easy part. You also need a rigorous set of processes and awareness of the issues.

The cost of a cyber security incident is daunting. Among the companies who were able to estimate the cost of the attacks they suffered in the last 12 months, the average cost was $229,000. Larger companies incurred higher costs, with the average cost to the largest companies estimated at $1.05 million in the US. The highest cost estimate for a single organization in the US was $25 million.

If the cost of a potential threat were not enough to spur action, perhaps regulation will be. In May of this year, the EU will institute its General Data Protection Regulations (GDPR) which will impose stiff fines for failure to institute preventative measures. Note that this rule applies not only to the countries in the European Union, but to anyone who collects personal information about citizens of the EU. 

The 2018 Hiscox Cyber Readiness Report shows that most US companies have a ways to go before they can be considered cyber ready. With diligence and dedication, they can get there.