HISCOX Cyber Readiness Report Shines Light on Commercial Cybersecurity
One of the most important concerns for organizations of all sizes is protection against cyberattacks and other digital threats to security. These dangers can prove a major setback for a company, and many even pose an existential threat. In order to effectively prevent cybersecurity incidents and protect sensitive data and other vital assets, organizations must be prepared for the possibility of an attack. This requires knowledge of threat trends and the digital landscape, things that are constantly in flux, so staying up to date on the latest developments is of the utmost importance. Insurance provider HISCOX has released the seventh annual Cyber Readiness Report to explore how businesses are managing their cyber risks.
Businesses’ Risk Sentiment
The Cyber Readiness Report reveals the concerns that organizations have regarding business risks. As in previous years, the most pressing worry among businesses is exposure to a cyberattack, with 40% of organizations citing it as a source of high risk for the company. However, this is a marked decline from the previous year—in fact, many of the categories of business risk cited show a decrease from the 2022 report. Beyond cyberattacks, businesses are most likely to be concerned with the risk factor of losses due to economic issues, the emergence of new competitors, skills shortages, reputational damage, and regulatory or legislative changes.
Another change from previous years is an increase in the proportion of firms stating that their cyber risk has lessened. Factors associated with this increased confidence include more effective implementation of cybersecurity measures, larger budgets, and increased board involvement in cybersecurity issues. Among the organizations that cited an increased cyber risk, the most commonly cited reasons are a larger proportion of employees working remotely and the dangers of employees using their own devices. Larger organizations, as well as organizations that have experience with cyberattacks, are more likely to have higher levels of confidence in their ability to handle an attack.
The Reality of Cyber Dangers
In addition to examining what organizations think of their cyber readiness, the report also details trends in attacks and their impacts. For the third year in a row, the proportion of firms who have experienced one or more cyberattacks has increased—53%, compared to 48% in the previous report. Even more alarming, 70% of companies with more than 1,000 employees reported at least one cyberattack.
In spite of the increase in the number of attacks, the financial impact overall seems to hold steady. There is a wide variation in the raw numbers, and the changes year-on-year depending on the company’s size and the industry. The smallest companies—those with fewer than 50 employees—have shown a decrease in median costs over the past two years, while those with more than 250 have experienced significantly increased median costs. Companies in the manufacturing, transport and distribution, energy, government, and non-profit sectors suffered higher median losses than other industries.
One of the most pernicious forms of cyberattack is ransomware. One-fifth of the firms that were attacked this year were targets of ransomware, a slight increase from the previous report. While 63% of those organizations paid the ransom, only 46% of those who did so were able to recover the stolen data successfully.
Bolstering Cyber Readiness
There is more than one tactic that an organization can use to approach the issue of cyber risk management. Companies can adopt a proactive attitude, primarily motivated by positive drivers, or a defensive or reactive attitude, primarily motivated by negative drivers. Of those in this report’s study group, 48% take the proactive tack, compared to only 6% favoring a reactive attitude. The most motivating positive factors for organizations are to show customers that the company takes cybersecurity seriously and to avoid business interruptions. At the same time, the negative drivers commonly relate to meeting regulatory compliance requirements and customer demands for cybersecurity.
The proactive approach to cyber risk management requires assessing the security posture and capabilities of the organization and taking steps to fortify against attacks. Many factors go into ensuring that an organization is prepared against attacks, and every organization is different. Still, some of the common predictors of cyberattacks can be connected to a lack of focus in several areas:
- Vulnerability assessments and penetration testing
- Testing new software for vulnerabilities
- Enforcing multi-factor authentication
- Centralized data aggregation and storage
- Detecting suspicious network communications
- Fixing security vulnerabilities
- Monitoring and analyzing security event data
Organizations with particularly high cyber maturity scores—at least four out of five according to HISCOX’s cyber maturity model—tend to take certain actions to ensure their cyber readiness. These actions include controlling communications, proactively identifying and removing malicious software, backing up data, and inspecting encrypted communications. Organizations with higher cyber budgets are also more likely to feel more confident about their cyber risk.
Conclusion
The HISCOX report highlights several interesting trends in organizations’ cyber readiness, how they understand their cyber risk, and the threat landscape itself. There are many ways in which this year’s report shows improvement over previous years, such as the increased optimism in organizations’ understanding of the top business risks. However, the reality of the threats has shown more mixed results, with the proportion of firms reporting attacks increasing, as well as the intensity of the attacks. The report demonstrates the state of the organizations in the study and the continued importance of cybersecurity measures and cyber readiness.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.