Cyber-attacks have affected a majority of organizations in the past year, with 57% having experienced an incident, according to a new report.
The Hiscox Cyber-Readiness Report – prepared by Forrester of Consulting for the insurance firm – surveyed technology and business leaders in over 3,000 organizations in the US, Germany, and the UK. It found that more than half (53%) are ill prepared in security terms, with those respondents describing themselves as “cyber-novices”.
Experts, then, are in a clear minority. But what is the scale of the threat?
Cyber attacks disproportionately affect US organizations, found the survey, with 63% reporting incidents over the past year – including 72% of larger businesses. Nearly half of all US firms (47%) reported two or more attacks, and 11% reported five or more.
Although organizations in the UK are less likely to be attacked than their counterparts in the US and Germany, affected firms are still in the majority: 55% of UK organizations experienced attacks of some kind last year, with those in the technology, media, and telecoms sectors being the most frequent targets. Forty-five percent of companies in those sectors reported two or more incidents.
Technology, media, and telecoms companies are also key targets in the US, along with organizations working in transport and distribution.
While external hacks on the organization are seen by 42% of respondents as the most serious threats, incidents affecting business partners or suppliers are the next most commonly cited, followed by internal threats, such as rogue employees, with lost or stolen devices bringing up the rear.
Overall, the evolving nature of online security threats was seen as the most significant challenge to security by 70 percent of all respondents.
The financial impact of cyber crime is considerable, with costs ranging up to over £500,000 per incident, says Forrester:
The results show a wide range of cost impacts – from under £1,000 to over £500,000 per incident. At the top of the range are very large organizations, defined here as those with 1,000-plus employees, where the average cost per incident ranges between €45,000 in Germany and $102,000 in the US.
But the damage isn’t purely financial, says the report:
Among firms that have suffered a security incident in the past 12 months, one in ten admits to having lost customers or experienced greater difficulty attracting new ones as a consequence. In the US, the total is nearer to one in six (15%).
A small proportion (eight percent) say they have lost business partners and a similar proportion have experienced publicity that has had a negative impact on their brand or reputation. Again the figures are higher for US respondents, at 11% and 10%, respectively.
Cybercrime doesn’t only impact on the biggest, most obvious targets, say researchers: the damage to smaller organisations can be much higher in relative terms, even though they have less complex IT environments:
While big firms incur the highest costs in nominal terms, the financial impact of cyber attacks is disproportionately high for the very smallest companies (defined here as those with fewer than 100 employees).
The cost per incident for the smallest companies is not appreciably less than for those in the next tier up and far higher per employee than for the largest companies. In Germany, for instance, the average cost of a cyber security incident for the very smallest organisations is almost half (48%) the average for the very largest organisations – which are at least ten times their size. In the UK and US, the equivalent figures are 41% and 35%.
The attacks themselves are just one part of the security challenge, warns Forrester; just as important are the time taken to discover the incident and to repair any damage. This is what sets the novices apart from the experts, and it can have knock-on impacts on organisations’ finances and reputations.
But there is some good news: globally, three out of five businesses (62%) took less than 24 hours to become aware of their biggest cyber incident, and over a quarter (26%) did so within an hour of its occurrence. That said, more than one-third of respondents (37%) took two or more days to discover the problem, with one per cent still unaware after a week.
In terms of recovery, nearly half (46%) of respondents said it took two or more days to get back to ‘business as usual’ – not counting investigations and remedial work, says Forrester.
The analysts make an intriguing observation:
There is a marked difference in reported recovery times between the three countries. While 55% of German firms got back to business as usual within one day, only 45% of UK firms and 40% of US firms managed to do the same. And more than a quarter (29%) of IT teams in the US were still engaged in recovery work four or more days later – which may reflect the higher than average cost per incident in the US.
So what can be done to meet the cyber security challenge when the stakes are constantly rising?
Many organizations struggle to answer that question, found the report: 26% say that “nothing changed as a result of the security incidents”. This compares with the 24% that say they spent more on new threat-prevention technologies and the 23% who increased spending on threat detection. Despite this, 59% of organizations overall report that the budget for cyber-security is increasing.
So what are they spending the money on if not better technology? Nearly half of all firms (47%) say they intend to increase cyber-security staffing by at least five per cent this year. US firms are the most likely to grow their headcounts (54% are planning to do so), even though they already have more people engaged in cyber-security than their British and German counterparts.
Another survey published this week, this time from security professionals’ organisation ISC², reveals that two-thirds of British companies are “chronically understaffed” and do not have enough cyber security professionals. The global shortfall of security workers will reach 1.8 million over the next five years, says ISC².
The need for all organisations to become more expert at security prevention, detection, and recovery is clear. But what makes an expert organization?
The key to cyber security has always been to recognise it as something more than a technology problem demanding technology solutions: it also needs to be a strategic agenda item backed by cultural and management transformation. Every tier of business from the CEO to the post room boy needs to understand the organisation’s security policy and its legal responsibilities.
Forrester identifies the following essentials in making the move from novice to security expert:
- Top-level buy-in from the executive management board.
- A cross-functional approach .
- Higher spend, more staff .
- More employee awareness training .
- Better use of metrics.
- Enforced security standards.
Expert organisations also understand the need for continued effort on a broad front, says Forrester:
The great majority of experts see the reinforcement of cyber-defences as a near-continuous process. Experts are twice as likely as novices to label as priorities areas such as compliance with the security requirements of business partners, or the need for organization-wide awareness training for employees.
Greater recognition of the scale of the challenge is part of what defines the maturity of their cyber-readiness effort.
There is a characteristic shared by most of the experts, though it is less easily defined: they are more aware of the challenges associated with facing today’s complex cyber risks and more conscious of the need to continue ramping up the defences.
But for many respondents – both large and small – government has a role to play as well. According to Forrester, a major gripe for German and UK businesses in particular is the perceived lack of support by central government: just 43% of German organizations and 48% of British ones said that their respective governments’ support was good enough to help them counter the cyber threat.
The report was published just before Queen Elizabeth opened the UK’s new National Cyber Security Centre, part of GCHQ, which has the stated aim of making the UK the safest place in the world to do business.
The move is both timely and essential, as most technology suppliers privately agree on one thing: the UK’s new surveillance laws risk making the country, the digital economy, and technologies themselves less safe, based on the principle that an internet that is easier to spy on is an internet that is easier to hack.
So we look forward to GCHQ’s proposals to both secure the UK’s digital economy and to make the interception and retention of communications easier: a security conundrum of an entirely new kind.