Cyber losses soar but fight-back intensifies
International study shows near six-fold rise in cyber losses but a big jump in cyber security spending...
Cyber losses among businesses targeted in the past year have risen nearly six-fold, from a median $10,000 per firm to $57,000. But there are signs firms are responding with more rigorous security measures and higher spending, which increased 39%.
These are among the findings in a study of 5,569 companies across eight countries, commissioned by insurer Hiscox. Encouragingly, while losses increased, the proportion of businesses targeted fell from 61% to 39%.
The Hiscox Cyber Readiness Report, now in its fourth year, surveyed a representative sample of private and public sector organisations in the US, UK, Belgium, France, Germany, Spain, the Netherlands and Ireland. Each firm was assessed on its cyber security strategy and execution, and ranked accordingly. The results showed a marked improvement in cyber security readiness with the numbers achieving ‘expert’ status nearly doubling – from 10% to 18%.
Among the key findings:
- Cyber losses soar: Total cyber losses among the study group rose from $1.2 billion to nearly $1.8 billion. The highest reported cyber losses were by a UK financial services firm, at $87.9 million. The highest loss from any one cyber event was $15.8 million, involving a UK professional services firm. The most heavily targeted sectors were financial services, manufacturing and technology, media and telecoms (TMT). Irish firms suffered the highest median costs, at over $103,000.
- Held to ransom: More than 6% of total respondents – or one in six of those attacked – paid a ransom following a malware attack. The highest losses reported by any single company targeted with ransomware – and which could include other cyber events – topped $50 million.
- Upping their game: The number of firms achieving ‘expert’ status in our cyber readiness model increased from 10% to 18%. This follows two years while progress stalled. US and Irish firms came out best with 24% ranked as experts. France was the biggest improver with 18% of firms ranked as experts, up from 6%. Overall, twice as many firms responded to a breach this year by adding new security and spending more on employee training.
- Pace of cyber spending accelerates: The average spend on cyber security rose from $1.47 million to $2.05 million, a rise of 39%. French firms spent the most with an average of $3.1 million. Spanish and US firms were not far behind, at $2.6 million and $2.4 million respectively. The UK, a laggard in past reports, started to catch up: average spending rose from just under $900,000 to $1.5 million.
Gareth Wharton, Hiscox Cyber CEO, commented: ‘While the number of firms reporting a cyber breach is down this year, the cost of criminal activity in this area appears markedly higher. The number of businesses that have paid a ransom following a malware infection is chilling. There is, however, one very positive message from this year’s report. There is clear evidence of a step-change in cyber preparedness, with enhanced levels of activity and spending. Take-up of standalone cyber insurance remains patchy, but this report is a reminder that firms are many times more likely to have a cyber incident than either a fire or a theft – for which most automatically insure.’
The study also shows:
- Big firms in firing line: More than half of enterprise-scale firms with 1,000+ employees (51%) reported at least one cyber incident. That compares with 39% for the whole sample. They also reported the most incidents (a median 100) and breaches (80).
- Spending buys expertise: Firms that ranked as experts in our cyber readiness model spent an average of $4.2 million over 12 months on cyber security. Those at the other end of the scale – the ‘novices’ – spent an average of $1.3 million.
- Defence in depth pays off: Whether a ransom was paid or not, the average losses for firms subjected to a ransomware attack were nearly twice those of firms confronted by malware on its own - $927,000 compared with $492,000. The figures, which include losses from all cyber events, underline the importance of good detection and backups.
- Signs of a new urgency: This year’s report shows approximately twice as many firms responding to a cyber event by taking extra measures to combat the hackers. One example: 25% increased spending on employee training following an attack compared with 11% last year. Many more are prioritising key initiatives in the year ahead and nearly three-quarters of respondents (72%) plan to increase their cyber security budgets by 5% or more in the year ahead, up from 67% last year.
- More buy cyber cover following cyber event: The proportion of respondents saying they have purchased cyber insurance as a result of a previous cyber event has risen steadily over the past three reports – from 9% to 20%. Just over a quarter of firms (26%) said they had a standalone cyber policy while a further 18% said they planned either to purchase standalone cover or add it as coverage to their policies. Firms ranked as experts are ahead of the game: nearly half (45%) said they had a standalone cyber policy.