UK insurer, Hiscox has released its seventh annual Cyber Readiness Report. The key finding from the report was that 53% of companies have admitted experiencing a cyber-attack, up from 48% last year. The median loss caused by these attacks is over $16,000, down from $17,000 last year. In the UK. That median figure is £19,000.
Alana Muir, Head of Cyber at Hiscox, commented: “Improving digital resilience is a never-ending task for businesses, and the difference in how sectors are able to cope with this is marked. The uptick in attacks witnessed in the UK over recent years is concerning but not surprising.
“Cyber criminals are fast learners and often succeed in keeping one step ahead of the companies they are targeting. It’s important that cyber security and privacy are regularly reviewed, and necessary protections are put in place across all industries, to minimise damage to businesses and customers.”
Some key statistics from the report
The report is just 25 pages in length and looked at 1,000 companies across 14 different business sectors. The statistics across all territories show:
- The majority of businesses have faced cyber-attacks. The proportion has risen for the third year in a row, from 48% to 53%.
- Smaller companies continue to be hit hard. Around a third (36%) of businesses with fewer than 10 employees have been attacked, the report reveals. This figure is up by more than half over the last three years.
- Fewer countries name cyber risk as their top priority. Five out of eight countries now say it’s their main business risk, down from seven. Economic issues and competition have risen up the agenda.
- Fraud is the largest cyber threat. Payment diversion fraud has caused financial losses for one in three (34%) firms.
- Business email compromise is the top way of gaining access in the UK, Germany and the US. For Food & Drink companies, it represents 64% of all attacks.
- Corporate and cloud servers are the next most popular routes for hackers.
- The median cost of attacks has dipped. It’s now just over $16,000, compared to nearly $17,000 last time.
- Big losses remain common. Costs have reached $250,000 or more for 12% of attack victims.
- Median cyber security spending has grown. Over three years, it’s climbed 39% to $155,000. Over a two-year period, the figure has quadrupled for firms with fewer than 10 employees.
- Fewer ransomware victims are paying up. Under two-thirds (63%) have met ransom demands, down from 66%.
- Businesses spend a median of $605,000 on their overall IT budgets. This figure is the highest in the financial services industry, at more than $9,848,000.
- More than half of firms feel more vulnerable due to remote working. Pharmaceutical and healthcare companies agree with this the most (74%), our data shows.
What are the top 10 business risks?
The report lists the top ten business risks and how they have changed from 2022. They are:
Top ten business risks (%) | 2023 | 2022 | |
1. | Exposure to a cyber attack | 40 | 45 |
2. | Losses due to economic issues e.g. inflation | 38 | 40 |
3. | The emergence of new competitors | 36 | 36 |
4. | Skills shortage | 35 | 40 |
5. | Reputational damage e.g. negative press | 35 | 37 |
6. | Regulatory or legislative changes | 34 | 37 |
7. | Pandemic or infectious diseases | 33 | 42 |
8. | Geopolitical conflicts disrupting operations | 33 | – |
9. | Fraud and white-collar crime | 32 | 38 |
10. | Extreme weather and natural disasters | 29 | 33 |
While cyber-attacks remain the number one concern, it is interesting that it has reduced by 5% from 2022. Given the number of breaches and attacks, it raises the question of priorities. Importantly, it is not the only risk to drop in priority. Every single risk dropped this year with the exception of geopolitical conflicts disrupting operations.
What is not clear is if Hiscox did any further research on the responses. For example, does that one risk encompass the risk in cyber-attacks as a result of those conflicts? Ukraine-Russia and now Israel-Hamas have seen a significant uptick in cyber-attacks. It is strange, therefore, that this is not reflected in the top risk here. The same is true of the surge in inflation and interest rates.
Interestingly, it appears that boards are more engaged than before. 41% of respondents at large companies said, “their exposure to attack has decreased mention more board involvement, leading to improved risk management or risk transfer (e.g. cyber insurance).”
Small firms lack confidence
Unsurprisingly, the report shows that small companies have a lack of confidence. Just 61% of those with less than 250 employees are confident in their cyber readiness. That compares with 71% in larger companies.
One factor could be the lack of skills and the expense of hiring people with the right skills. However, an increasing number of companies with less than 250 employees are outsourcing security to MSSPs. Do they lack trust in their security partners? It would be interesting to know more.
An interesting statistic is that the smallest of firms are now being targeted. 53% (2022-485) now report suffering cyber-attacks. Companies with fewer than 10 companies are now being targeted. 36% report experiencing a cyber-attack. Hiscox’s says they must take this more seriously.
One reason the smaller companies, even very small companies, are being targeted is the supply chain attack. Attacking a large organisation can be time-consuming and means getting through multiple layers of security. Smaller organisations will lack a lot of that security in depth, which makes them an easier target. Once breached, they act as a gateway to larger suppliers. Surprisingly, Hiscox did not ask large organisations how much time they invested in helping secure their smaller supply chain partners.
Ransomware demands continue to increase
Ransomware demands continue to increase. 20% of businesses reported they had received a ransomware demand compared to 19% in 2022. While only a small increase, it is still an increase. There has, however, been a fall in those paying a ransom. In 2022 it was 66%, in 2023 it is 23%.
Hiscox also reports that the cost of recovery has also dropped. The average is now $5,400, and the maximum paid out was $535,000. Reasons for paying out were, “to protect confidential internal information (43%) or customer data (42%). The latter was the stand-out reason among large companies for paying a ransom.”
Despite paying, fewer companies got their data back. In 2022, 59% said they got access to their data, but in 2023, that figure dropped to 46%. Just 32% said they recovered some of their data, but for 25% of victims, data was either leaked or the recovery key failed to work. Unsurprisingly, 20% sustained another attack.
Enterprise Times: What does this mean?
There is far more than just the items highlighted above in this report. What it does, however, is paint a positive, if at times slightly confusing, picture. Overall, it seems there is better cybersecurity taking place, and companies are listening to advice. The board is more engaged than ever before, and that means spend in IT and, in particular, cybersecurity, has increased.
The most positive thing from the report is on Hiscox cyber maturity assessment, every sector has moved from cyber novices to cyber intermediates. However, there are no cyber experts in their assessment. That is disappointing, although it is possible that we might see a breakthrough next year.
Overall, as with all these reports, there is a lack of finer detail around the numbers. As already called out, the geopolitical risks seem to have absorbed risk from other areas. That is likely to be masking issues that need to be addressed and it is disappointing that Hiscox did not investigate further.