The coronavirus pandemic has created a number of new cyber security threats and vulnerabilities, not the least of which is the need to support a massive shift to remote work. The worldwide health crisis has presented hackers and other cyber criminals with opportunities to take advantage of the upheaval in business.
But here’s some good news: prior to global crisis many organizations were already taking steps to strengthen their cyber security defenses, according to a recently released report from specialist insurer The Hiscox Group in collaboration with research firm Forrester Research.
“After two years when progress appeared to stall, there is clear evidence of a step-change in cyber preparedness,” the report said. “This is apparent not only in the metrics that make up our cyber readiness model but also in the enhanced levels of activity and spending underway to meet the challenge. This is not a moment too soon.”
The study is based on a survey of more than 5,500 cyber security professionals in the U.S., U.K., Belgium, France, Germany, the Netherlands, Spain, and Ireland between December 2019 and February 2020.
One of the key findings is that organizations were devoting more money to cyber security. For example, the U.S. businesses surveyed said they had increased their average cyber security spending within their IT budgets by 61%, to $2.4 million.
While 39% of U.S. organizations reported they did not take action after a security incident in the previous year, that figure fell dramatically to 3% in the current year’s report. The actions taken by these organizations include regularly evaluating and discussing security and privacy, increasing spending on employee training and cultural change, and creating additional security and audit requirements.
Clearly the improvements were needed. While only 41% of the U.S. respondents reported that their organization had experienced at least one cyber incident or breach compared with 53% in the previous year, the median cost of all cyber security breaches in the U.S. rose from $10,000 to $50,000 year to year. That indicated cyber criminals have been doing more damage in fewer, more sophisticated attacks, the report said.
The researchers defined an incident as any event that does not succeed in compromising the confidentiality, integrity, or availability of information; and a breach as any event that successfully compromises the confidentiality, integrity, or availability of information, resulting in a material loss.
Fifteen percent of the organizations that experienced a cyber incident or breach reported bad publicity or impact on their brand or reputation as a result, compared with just 3% the previous year. Organizations also experienced greater difficulty in attracting new customers following an incident or breach, with 17% reporting these challenges compared with 3% the previous year.
Small businesses remain particularly vulnerable to risk, the report said. Nearly one third (32%) of U.S. small businesses (those with fewer than 250 employees) experienced at least one cyber incident or breach in the past year. Of those, only one in five purchased or enhanced their cyber insurance policy for protection against threats.
The incident and breach numbers were strongly influenced by a relatively small contingent of organizations in each of the eight countries that reported 500 or more security events, the report said.
While it would be reasonable to assume they are all enterprise-scale businesses, the researchers said, they are not. In fact, a surprising number are among the smallest.
In many sectors, the majority of small companies have no one managing cyber security, the study noted. In addition, dependence on a managed service provider (MSP) might backfire when that MSP is itself attacked.
Still, the biggest companies were more likely to be targeted for attack than smaller ones. More than half of all enterprises (51%), those companies with 1,000 or more employees, said they had at least one cyber incident. They also reported a median of 100 incidents and 80 breaches.
Some 11% of overall respondents said they did not know how many times they had been targeted for cyber attacks, up from 4% in the previous year’s report. Surprisingly, the report said, the largest percentage of “don’t knows” was among enterprises with more than 1,000 employees.
While a high level of preparedness can be no guarantee of security, the report said, there are credible steps organizations can take to minimize their vulnerability, respond effectively, and recover in good order. Learning from security incidents and making sure they inform and improve planning and resilience to subsequent incidents is key.
This year’s report highlights the importance of changing employee behavior when it comes to cyber security, which takes the form of company-wide training to build cyber security awareness.