Nearly three-quarters of global firms fell short of adequate cyber-readiness, despite the majority ranking online threats as the number one risk to their business, according to Hiscox.
The insurer’s Cyber Readiness Report 2018 used interviews with a representative sample of 4000 organizations in the US, UK, Germany, Spain and the Netherlands to assess their cybersecurity strategy and the quality of its execution.
The annual report found that only 11% scored highly enough in both areas to be ranked as cybersecurity “experts,” while 16% achieved expert status in either strategy or execution, but not both.
Yet the cyber-threat is well understood: two-thirds of respondents claimed it’s their top business risk, alongside fraud
Perhaps unsurprisingly, large firms and those that spend more on security were judged to be the best prepared.
Some 21% of large companies ranked as cyber experts, versus only 7% of small firms, while cyber-experts spend twice as much on IT as those that failed the test ($19.8m versus $9.9m) and devote a higher proportion to cybersecurity (12.6% versus 9.9%).
The good news is that spending is on the rise, with 59% of respondents planning to increase their outlay on security.
Almost half (45%) of those polled claimed to have suffered at least one attack over the previous 12 months, and 66% of them were hit twice or more, with financial services, energy, telecoms and government sectors the biggest targets.
The average cost across all respondents of these attacks was only $229,000, although this rose to up to $20m for individual UK and German firms and $25m for their US counterparts.
Nick Hammond, lead advisor for financial services at World Wide Technology, argued that the report should be a reminder to those in the financial sector of the difficulty of getting security right.
“This kind of protection is all the more necessary this year, in the wake of new regulations such as MiFID II, PSD2 and GDPR. Unlike older rules that only required yearly tick-box compliance exercises, these new regulations require continued assurance of critical applications,” he added.
“But with the complexity of existing IT systems, which have been built with different and sometimes opposing metrics over the years, this is easier said than done. This web of opaque interdependencies is creating problems for cyber security. Without a clear view of how the system is plumbed together, there can be knock-on effects downstream when one application is prevented from sharing data with another system or user.”