Hiscox Cyber Readiness Report™: Study reveals cyber security shortcomings in prevention, detection and training
73% of US companies cite the evolving nature of cyber threats as a major security challenge for their businesses; 63% plan to increase cyber security budgets over the next twelve months
NEW YORK, February 7, 2017 – Hiscox, the international specialist insurer, today released a study that gauges how prepared businesses are for cyber threats. The Hiscox Cyber Readiness Report 2017™ surveyed managers and IT specialists at 3,000 small to large companies in the US, UK and Germany and found that more than half (53%) of businesses are ill-prepared to deal with cyber-attacks. The study assessed firms according to their cyber readiness in four key areas – strategy, resourcing, technology and process – and ranked them from novice to expert. Fewer than a third (30%) qualified as ‘expert’ in their overall cyber readiness, of which nearly half (49%) were US-based companies.
Among the key findings, the study reveals significant cyber security shortcomings among the more than 1,000 companies surveyed in the US.
- Cyber security budgets increasing – Seventy-two percent of large US businesses (250 or more employees) and 60% of small companies (fewer than 250 employees) experienced at least one cyber-attack in the past year. The frequency of these attacks is driving cyber security spending, which is expected to increase for 63% of US businesses.
- Cyber detection is a challenge – Nearly half (44%) of all US companies surveyed reported taking two days or more to discover a cyber security incident, and more than half (54%) reported taking two days or more to return to ‘business as usual’ after their largest breach. That said, the time taken to complete an investigation and remedial work could take even longer.
- Employee training works – For 77% of US companies, employee training has significantly reduced the number of cyber hacks and incidents. Seventy-one percent of US companies reported conducting cyber security exercises, such as phishing experiments, to understand employee behavior and readiness for an attack.
- Small businesses struggle to keep up – While large companies incur the highest costs in nominal terms, the financial impact of cyber-attacks is disproportionately high for small businesses with fewer than 250 employees. The average cost of the largest cyber security incident experienced in the past 12 months for these small businesses was $41,000. Surprisingly, one-in-five (19%) small businesses say they have changed nothing following a cyber-security incident.
- Momentum builds behind cyber insurance – Across all geographies surveyed, 40% of businesses say they have cyber insurance coverage. Fifty-five percent of US businesses reported having cyber coverage, the highest of any country surveyed. These overall higher than expected take-up figures may also reflect confusion over what exactly constitutes cyber insurance coverage with some companies believing they are protected under their existing insurance coverage.
“Our study reveals a number of cyber security shortcomings among companies of all sizes,” said Ben Walter, CEO of Hiscox USA. “At Hiscox, our aim is to help our clients understand and navigate today’s most pressing cyber security challenges, supplementing essential risk management and insurance with a roadmap for how to become more fully cyber ready.”
The Way Forward: Improving Cyber Readiness
The study shows the biggest gaps between experts and novices are in their strategy and process.
Novices can better prepare themselves by taking the following actions:
- Involving top management in the cyber security discussions. Nine out of ten experts (91%) say cyber security is a top priority at the board and C-level. Only 62% of novices say the same.
- Formalizing a cyber security strategy. Nine out of ten experts (92%) have a budgeting process that is integrated into all security projects and activities vs. only 40% of novices.
- Implementing more employee training. Nearly nine out of ten experts (86%) agree that employee training has reduced the number of cyber incidents. The figure for novices is 57%.
- Documenting the firm’s processes. An overwhelming majority of experts (96%) say their business has cyber security guidelines for employees, partners and external users, but only 42% of novices are as well organized.
- Tightening up technology. The gaps between novices and experts are generally less noticeable in technology deployment. Where the novices need to improve is in internal and external message encryption and the integration of strong authentication throughout their businesses.
- Investing in cyber insurance. Nearly two-thirds of experts (64%) have cyber insurance. This compares with just 28% of novices.
“Making cyber security a top business priority is an important first step in preventing and managing cyber-attacks,” said Dan Burke, Vice President and Cyber Product Head at Hiscox USA. “Being cyber ready does not necessarily require a massive financial spend. By focusing on strategy, resourcing and process, companies can help prevent costly business interruptions and irreparable damage to their brand.”
Full Hiscox Cyber Readiness Report 2017
About the Study
Hiscox commissioned Forrester Consulting to survey more than 3,000 executives, departmental heads, IT managers and other key professionals responsible for the cyber security decisions at their businesses in the UK, US and Germany (1,000-plus in each country). Respondents were drawn from a representative sample of businesses by size and sector. The online survey was completed between November 16 and December 5, 2016.
Hiscox, the international specialist insurer, is headquartered in Bermuda and listed on the London Stock Exchange (LSE:HSX). There are three main underwriting divisions in the Group - Hiscox Retail (which includes Hiscox UK and Europe, Hiscox Guernsey, Hiscox USA and subsidiary brand, DirectAsia), Hiscox London Market and Hiscox Re. Through its retail businesses in the UK, Europe and the US Hiscox offers a range of specialist insurance for professionals and business customers, as well as homeowners. Hiscox underwrites internationally traded, bigger ticket business and reinsurance through Hiscox London Market and Hiscox Re. For further information, visit www.hiscoxgroup.com.