View this article online: https://www.insurancejournal.com/news/international/2022/05/17/667942.htm

Businesses See Cyber Attacks as Biggest Threat – Ahead of Pandemic, Economy: Survey

Cyber attacks are now seen as the dominant risk for many businesses – ahead of the pandemic, economic downturn, skills shortages and other issues, according to a report published by Hiscox.

For its Cyber Readiness Report 2022, Hiscox found that businesses in seven out of eight countries see cyber as their biggest threat, while one-in-five (20%) of business owners said their solvency was threatened by a cyber attack.

Hiscox surveyed over 5,000 businesses in the U.S., UK, Belgium, France, Germany, Spain, the Netherlands and Ireland, in the sixth year of its report. From a country perspective, only Irish firms relegated the cyber threat to the number two spot, behind pandemics.

In addition, the survey found that the impact of the cyber attacks are becoming more expensive with the median cost of an attack rising 29% to just under $17,000.

This figure “masks a wide range of outcomes – between a low of $9,900 in Belgium and a high of $28,100 in the UK, where costs more than doubled,” said the report, noting that costs also doubled in Ireland – to $16,800.

“One UK firm suffered total attack costs of $6.7 million. At the worst-hit businesses in Germany, Ireland and The Netherlands, costs topped $5 million,” it added.

However, these figures only represent the tip of the iceberg of the impact of cyber on businesses, the report indicated.

“The number of respondents laying off staff following an attack has doubled – from 5% to 11%. One-in-five firms paid a substantial fine to a government agency, nearly twice as many as the previous year, and a similar proportion (21%) said the impact was enough to threaten their solvency,” the Hiscox report confirmed.

Ransomware Attacks Increase

The report said that more firms were hit by ransomware – 19% compared with 16% the previous year. “Two-thirds (66%) paid up and more than half (53%) paid ransoms on multiple occasions,” said the report, noting that U.S. and Irish firms were most likely to pay up, while German companies were the least likely.

“The single largest ransom paid was just under $100,000, marginally up on last year’s $95,000,” added the report.

The report cited “one strange anomaly” in that the food and drink sector was the least targeted by ransomware with only 14% of firms reporting an attack. However, the sector is the most likely to pay a ransom – with 62% of affected firms deciding to give in.

Mid- and Small-Sized Firms Targeted

While the cyber criminals have long targeted high-value companies, the report warned they are now moving down the food chain.

“Companies with revenues of $100,000 to $500,000 can now expect as many cyber attacks as those earning $1 million to $9 million annually,” the Hiscox report continued.

The problem for smaller firms is that spending on building cyber defenses has dropped, the report said. “That appears to be part of a decline in overall IT spending at the lower end of the corporate spectrum. But this is not coming at a good time.”

Firms with between 10 and 49 employees have almost halved their cyber security budgets, from $411,000 to $225,000, while spending has collapsed for firms with less than 10 ten employees – from an average $150,000 to just $29,000, the survey found.

“This is likely pandemic-related as companies have less in the pot to spend on IT. The percentage of IT budget spent on cyber security for this size of business has slightly increased from 17% last year to 20%. Though there’s less to go around, they’re not completely ignoring the importance of cyber security,” the report noted.

The report suggested the pandemic may well have played its part in the reduction of IT budgets for smaller companies. “The move to remote working has prompted many smaller businesses to adopt cloud solutions in preference to building out their own remote services. That, in turn, has encouraged more cyber criminals to exploit vulnerabilities in cloud applications and target cloud service providers too.”

However, at the other end of the size scale, cyber security spending has surged significantly, showing a big divide between large and small companies. “Average spending by firms with 250 to 999 people has doubled in the past year. For enterprise firms of 1,000-plus it is up 65%. At nearly $20 million, their average spend has risen nearly fivefold in three years,” the report said.

The report’s other key findings include:

• The frequency of cyber attacks increased by 12% from last year with 48% of businesses saying they suffered a cyber attack in the past 12 months, compared to 43% in the prior year.
• Over 87% of businesses across the world see cyber as the number one threat to their financial health, and view it as more of a threat than an economic downturn and skill shortages.
• There is a huge gulf in perception between those who have suffered an attack and those who have not. “More than half of cyber attack victims (55%) see cyber as an area of high risk. Among non-victims the figure is just 36%.”
• More than three-out-of-five respondents (62%) agree their businesses were more vulnerable to an attack as a result of employees working from home. This rose to 69% in companies who employed more than 250 people.
• Average cyber security spending per company is up 60% in the past year to $5.3 million, an increase of 250% since 2019.
• Adoption of cyber insurance is highest in the financial services industry, where 74% of companies have cover either through a standalone policy or as part of a wider insurance policy.

“Business owners will have spent years growing and investing in their business, but one cyber attack could reduce what they have built to financial rubble,” commented Gareth Wharton, Hiscox Cyber CEO, in a statement accompanying the report.

“The threat of insolvency for many is very real given the increasing costs of an attack – the median cost of an attack has risen sharply by nearly a third to just under $17,000, and for some of the worst hit businesses costs topped $5 million,” he added.

“Remote working is not going away, and has impacted the volume of cyber attacks as cyber criminals gain access via cloud servers, so it is vital that businesses take the necessary steps to protect themselves against the complexity and speed of cyber attacks,” he said.

“In particular, the success cyber criminals continue to have in breaching systems via the use of phishing emails means one of the most effective defenses a business can have is continuing to raise staff awareness of the risks.”