Despite the hike in cyber attacks across industries, almost three quarters of organizations lack cybersecurity readiness, a new report found.
That failure to prepare has major consequences: Globally, almost half of the 4,500 businesses surveyed (45 percent) across the U.S., UK, Germany, Spain, and the Netherlands reported at least one cyber attack in the past year, according to the report from specialists insurer Hiscox. Of those, two-thirds suffered two or more attacks.
With 73 percent of companies not being ready, according to the study, it echos the message spoken loudly for the past few years: It’s no longer a question of if you will experience a breach, but when.
To determine a firm’s cyber readiness, Hiscox evaluated the following categories: Strategy, engagement, organizational leadership, training and evaluation, cyberinsurance, and willingness to make changes in response to a cyber incident.
In the U.S. alone, large businesses lose an average of $1.05 million to cybercrime annually, the report found. And that’s even considering the U.S. tops the list of nations studied in terms of cyber expertise, with 13 percent of respondents ranking as “cyber experts,” compared to 11 percent of global respondents.
In the U.S., cyber threats are ranked as a top risk among companies: Though many lack adequate defenses, two-thirds of respondents ranked the threat of a cyberattack alongside fraud as a top risk to their business.
On average, respondents had an IT budget of $11.2 million, of which 10.5 percent was devoted to cybersecurity. However, the cyber experts had markedly bigger IT budgets than the novices ($19.8 million on average versus $9.9 million) and devoted a higher proportion to cybersecurity (12.6 percent versus 9.9 percent). Some firms spent a lot more – with 37 percent devoting between 11 percent and 25 percent of their IT budgets to cyber. Financial services firms are the largest spenders on cyber, followed by the pharmaceuticals and healthcare sector and then government entities.
Along those lines, companies said they believe their overall cybersecurity spending budget will increase by five percent or more this year.
It may sound simple, but employee training does work to prevent attacks, the report found.
Of the organizations investing in cybersecurity efforts, 54 percent said employee training helped reduce the number of cyber hacks and incidents at their company. In the U.S., 43 percent of employers reported conducting cybersecurity exercises, like phishing experiments, on their employees to better understand behavior.
“As threats become more advanced and sophisticated, cyber readiness is no longer a ‘nice to have’ but a ‘must have’ for businesses of all sizes,” Dan Burke, vice president and cyber product head for Hiscox in the U.S. “There needs to be a dedicated investment, and not just a financial one, in order [to] prevent, detect and mitigate cyber attacks. Beyond the allocation of funds, an organization must focus on its people, its thinking and its processes, in order to become a cyber expert.”