Finance, Telco & Govt. Are Prime Cyber Targets, Study Shows

Dan Gunderman

In a recent study commissioned by specialist insurer Hiscox, highly visible gaps in cyber security preparedness were uncovered at the organizational level.

In fact, nearly three quarters (73%) of the respondents (4,100 organizations across five countries), are considered to have lapses in their cyber security posture.

Nearly half (45%) of respondents indicated that they’ve dealt with at least one cyber-attack in the past year. Two-thirds of the responding organizations indicated they experienced two or more attacks.

The “Hiscox Cyber Readiness Report 2018” polled both private and public sector organizations in the U.K., U.S., Germany, Spain and the Netherlands.

Prefacing it, Hiscox Cyber CEO, Gareth Wharton, said, “Cyber security poses a challenge unlike any other. Businesses large and small, both public and private, face an enemy that is unseen and largely unknown, has seemingly shape-shifting powers and appears utterly unrelenting. Each year brings a renewal of the contest but in a subtly different form. This is an enemy that can be confronted but never quite defeated.”

To underscore that, the average cost of each breach was $229,000, although these also skyrocketed to $25 million in individual cases. There was also a geographical pattern in the findings. While breach remediation set back Spanish organizations $356,000, they saddled U.S. organizations (1,000-plus employees) with $1.05 million in costs, according to the report.

See Related: 'Complete The Puzzle': Tackling GDPR, Improving Security Posture

Enterprises in the U.S., Germany and the U.K. faced $25 million and $20 million breaches, respectively.

“If anyone still harbored doubts about the severity of the threat, the events of the past year should have dispelled them,” Wharton added. “From the WannaCry ransomware attack to the hacking of one of the world’s largest credit agencies, 2017 produced numerous reminders that operating in a connected world has fearsome perils. The cost of these attacks has undoubtedly run into the billions.”

What were the main targets of these breaches? Financial services, energy, telecom and government organizations appear to be the most sought-after industries.

Where the study was unique was in its security strategy assessments and the effectiveness of said strategy. A miniscule 11% of respondents received high enough scores to be considered cyber security “experts.” The survey suggests that there is a “gulf” between those who grasp cyber security and are poised to face it head on, and those who are quick to pass off various duties.

The report highlights that enterprise security is “not an IT issue” but an organizational risk.

See Related: Feds Joining Cyber Security 'Dashboard' For Real-Time Diagnostics

The study also uncovered that 21% of larger organizations (250-plus employees) were labeled “experts.” Those deemed cyber experts are also more inclined to have cyber insurance – in fact 60% of that subset has coverage. From the larger sample, one-third (33%) of respondents say they currently have cyber insurance; 25% plan to obtain coverage.

Organizations paid an average of $11.2 million for IT funds for the year – 10.5% of that was allocated for cyber security. Those deemed “experts” were apt to spend more (up to twice as much) on cyber security, too.

The cyber spend is also projected to rise – in a market saturated with solutions, and a rising awareness of the utter importance of strategy. Fifty-nine percent of respondents plan to increase their cyber security budgets in the coming year, according to the study.

Robert Hannigan, an advisor to Hiscox and former director of the U.K. Government’s Communication Headquarters, who was responsible for setting up the U.K.’s National Cyber Security Centre, said in the study that, “The cyber threat itself is set to grow in volume and severity, as criminal groups gain access to more sophisticated tools and become more reckless.”

He continued: “The rapid growth of the ‘internet of things’ will amplify insecurities by adding millions of new devices with minimal built-in security. For those trying to protect against attack, the shortage of cyber skills will continue to be chronic.”

Despite the sharp caution, it is a promising sign that “expert” organizations are quite cognizant of the cyber security threat. The remaining labor will come in upping the expertise.

Be Sure To Check Out: Cyber Security: Who's In Charge?