Cyberattacks: A very real existential threat to organizations
We all know cybersecurity is a critical element of business risk. But how critical? Some boardrooms seem to pay little more than lip service to security and still manage to avoid serious repercussions. That’s why a new report from global insurer Hiscox makes for interesting reading. It actually claims that many European and American organizations have come close to insolvency after security breaches. And while spending is on the rise, fewer global firms than ever are described as cyber-readiness “experts.”
It’s clear that knowing where to direct investment in cybersecurity has never been more important. So what do the experts do to avoid bankruptcy? According to the report, it’s largely a blend of best practice basics and a willingness to learn from previous incidents.
An existential threat
The report is compiled from interviews with 5,000 businesses in the US, UK, Belgium, France, Germany, Spain, the Netherlands, and Ireland. Some of the findings we knew already. But there are some interesting nuances. For example:
- Seven of eight countries rank a cyberattack as the number one threat to their businesses
- Half (48%) of respondents reported a cyberattack in the past 12 months, up from 43% last year
- A fifth (19%) of respondents reported a ransomware attack, up from 16%. Two-thirds of victims paid their attackers
So far, so usual. However, there’s a big gulf in perception between those that have suffered an attack and those that have not. More than half (55%) of cyberattack victims see cybersecurity as an area of high risk, but the figure falls to just 36% for those who have not experienced a compromise. Similarly, 41% of those attacked say their risk exposure has increased, but for the other group the figure is less than a quarter (23%)
Another interesting nugget: cybercriminals appear to be increasingly targeting smaller companies. Those with revenues of US$100,000-$500,000 can now expect as many attacks as those earning $1m-$9m annually.
Costing firms dear
This is important, as a fifth of responding firms that were attacked say their solvency was threatened, an increase of 24% from last year. Although not broken out in the report, breach costs may include:
- Operational outages
- Legal costs
- IT overtime and third-party forensics costs
- Regulatory fines
- Customer churn
- Lost output and sales
- Long-term reputational damage
This may partially explain why spending is up. Respondents’ mean cybersecurity spending increased 60% in the past year to US$5.3 million and has increased by 250% since 2019, according to the report
How are attackers compromising organizations?
To better understand how your organization can avoid bankruptcy, we first need to know how threat actors are doing so much damage. According to the report, the main vectors for attack are:
- Cloud servers (41%)
- Business email (40%)
- Corporate servers (37%)
- Remote access servers (31%)
- Employee-owned mobile devices (29%)
- DDoS (26%)
This chimes with the findings of other reports and the narrative that remote working, pandemic-related investments in cloud infrastructure, and remote working security challenges are some of the biggest risks facing organizations today. These have combined with human error to create a large attack surface for threat actors to aim at.
What to do next
Of some concern is the fact that cyber-readiness scores as estimated by Hiscox fell by 2.6% year on year, leading to a sharp drop in the number of firms ranked as “experts” – from 20% to just 4.5%. The proportion ranked as novices also declined significantly, leaving most as “intermediates.” Cyber-readiness matters because median attack costs, as a percentage of revenues, are two-and-a-half times higher for firms ranked as “cyber-novices,” the report claimed.
So what does a mature cyber-ready organization look like? Fortunately, it’s not all dependent on how much money is available to spend. Several best practices are highlighted, including the following:
- Formalize cybersecurity with clearly defined roles and board or senior management buy-in
- Ensure top execs have clear visibility into and engagement with cybersecurity
- Follow best practice standards such as the US National Institute of Standards and Technology (NIST) framework
- Spread investment over NIST’s five key functions – identify, protect, detect, respond and recover
- Focus on incident response planning and attack simulations in light of current geopolitical uncertainty
- Regularly assess corporate data and technology infrastructure
- Provide effective cybersecurity awareness training
- Ensure business suppliers and partners adhere to security requirements
- Focus on “low-hanging fruit” processes such as patching, pen-testing and regular backups
Taken together, these steps will help minimize the chances of an attack ultimately bankrupting the organization.