Hiscox Cyber Readiness Report: 3 Steps to business cyber security
The thought of a cyber-attack is enough to strike fear into the heart of anyone. From targeted attacks like the Equifax breach to the widespread WannaCry ransomware hack to individual spearfishing attacks, it seems no one is safe. But there are steps every business can take to minimize the impact of an attack. Here’s how to become cyber ready in three steps.
Hiscox recently released the 2018 Hiscox Cyber Readiness report, based on a survey by Forrester of 4,100 companies in the US, UK, Germany, Spain and the Netherlands. The report explores the degree to which companies are prepared to prevent or withstand a cyber-attack.
Each company surveyed was rated an expert, intermediate or novice when it came to their level of preparedness. Alarmingly, only 13% of US companies fell into the ‘expert’ category. Over two-thirds (70%) of companies were rated as cyber novices.
What makes a cyber security expert?
In order to become an expert in cyber security, you want to do three things.
- Prevent an attack on your organization. This means having a response plan in place and practicing what to do in the event of an attack. The entire organization should be trained on potential hacks like spearfishing, malware and password attacks. The focus on cyber awareness needs to come from the corner office, and the entire c-suite needs to be invested in the process.
- Detect an attack as early as possible, if one occurs. A comprehensive training program includes teaching employees to be on the lookout for suspicious activity that would indicate an attack has occurred.
- Mitigate the impact of an attack on your organization. Having a tight response plan in place will help, as will early detection. Having cyber insurance, either as a stand-alone policy or as a component of your business liability coverage, will reduce your out of pocket exposure and may provide crisis management services as part of the policy.
In order to accomplish these three steps, there are several key factors at play.
- Awareness. Everyone in the organization needs to be aware of the possibility of an attack. They need to know what they can do to prevent one, including the best practices for passwords and the warning signs of phishing.
- Strategy. Have a plan in place to deal with a cyber-attack as soon as it is recognized. Specific duties should be assigned to specific individuals, and everyone must know their role. Revisit the plan periodically to ensure it addresses new threats.
- Engagement. Involvement from the C-suite is critical. Cyber security strategy should be set with input and support from the very top of the organization. Everyone in the organization should be aware of the policy on cyber security and what their specific role is.
The true cost of an incident
Spending money on cyber security doesn’t make one an expert, although the experts do have higher spend rates than others. Cyber experts had double the IT budgets of novices ($19.8m vs. $9.9m), and spent a higher percentage of their IT budget on cyber (12.6% vs. 9.9%.) And spending is often the easy part. You also need a rigorous set of processes and awareness of the issues.
The cost of a cyber security incident is daunting. Among the companies who were able to estimate the cost of the attacks they suffered in the last 12 months, the average cost was $229,000. Larger companies incurred higher costs, with the average cost to the largest companies estimated at $1.05 million in the US. The highest cost estimate for a single organization in the US was $25 million.
If the cost of a potential threat were not enough to spur action, perhaps regulation will be. In May of this year, the EU will institute its General Data Protection Regulations (GDPR) which will impose stiff fines for failure to institute preventative measures. Note that this rule applies not only to the countries in the European Union, but to anyone who collects personal information about citizens of the EU.
The 2018 Hiscox Cyber Readiness Report shows that most US companies have a ways to go before they can be considered cyber ready. With diligence and dedication, they can get there.
Related Articles
A cyber security expert answers your ransomware questions
What is ransomware? Who is vulnerable? And most importantly, how can you protect your small business from the havoc it can wreak?
We sat down with Meghan Hannes, Head of Cyber and Tech Errors and Omissions for Hiscox USA. Meghan has been underwriting and managing cyber security and privacy-related risk since 2004. She is a noted author, speaker, and award-winning product head in the cyber insurance space.
Remote working increases cyber risk for small businesses
The pandemic has changed the way we do business in many ways. One of the most remarkable changes – and one that may become permanent for many businesses – is remote working. While this has been an advantage, the increase in cyber attacks since more people have been working from home is not a coincidence
Read More
The most common accounting mistakes made by small businesses and how to avoid them
Whether you’re a new or experienced small business owner, financial responsibilities—including accounting—can take a while to get the hang of. There are so many moving parts to keep track of, not to mention a lot of math to do, which makes mistakes almost inevitable. That’s why many companies bring on an accountant as soon as they can. But if that isn’t an option for you just yet, don’t worry. We’ll cover some of the most common accounting mistakes made by small businesses and how to avoid them, so you can protect your business.
Read MoreWe provide tailored insurance for the specific risks you face, so you can take the right risks to grow your business.