The cost of dealing with cyber events such as ransomware and viruses more than tripled for businesses since 2018. That’s according to a survey by a business insurer. Hiscox reviewed data from its annual Cyber Readiness reports going back to 2018.
The financial toll of cyber events, which include data breaches, was estimated at an average of $16,950 (£15,265) per year in the insurance firm’s 2022 Cyber Readiness report. Half of companies surveyed experienced at least one cyber attack in 2022, a rise from 39 per cent in 2020. Different industries were affected differently. Financial services, and the ‘Technology, Media and Telecom’ (TMT) sectors reported a minimum of one attack for three consecutive years. According to the latest report, as many as two-thirds (66pc) of financial services firms were impacted by one or more cyber attack in 2021-22. While the median (middling cost when all are lined up) cost of cyber events has increased, the survey suggested evidence that businesses are getting savvier in their cyber preparedness, with the average IT budget for cyber security in 2022 being £4,714,482.83. This marks a three-fold spend increase compared to 2018 of £1,323,973.13.
Alana Muir, Head of Cyber at Hiscox, said: “Cyber risk has risen to the same strategic level as traditional financial and operational risks, thanks to a growing realisation by businesses that the impact can be just as severe. While there has been some fluctuation over the years, cyber attacks are on the rise, so the increased focus and investment from businesses to minimise damage to their brand, operations and customers is positive. A proactive approach to cyber security is the best way to reduce the likelihood of a cyber event and limit the impact. Businesses should regularly evaluate their processes, people management and knowledge of the subject, and aim to create a culture of cyber security where everyone is well-equipped to respond, should the worst happen.”
Another survey meanwhile asking about the concerns of cyber decision makers finds that 78pc believe the cost-of-living crisis will increase the risk of a cyber threat occurring in their organisation. This finding was especially prevalent in the healthcare (84pc) and financial services (86pc) sectors.
Near all (93pc) of those surveyed say that they are being kept awake at night worrying about organisational security issues. The top three issues reported were lack of cyber security skills within the organisation (30pc), limited resources within the IT team (29pc) and old IT infrastructure (27pc). A quarter, 25pc of cyber security decision makers were also worried about third party suppliers leaving them vulnerable to a cyber-attack.
Leyton Jefferies, Head of Cyber Security Services at CSI Ltd, which run the survey, says: “The cost-of-living crisis is very attractive for threat actors looking to prey on victims who may be more vulnerable than normal. Criminal opportunists understand that resources are increasingly being squeezed and constrained and employees may be less diligent about clicking on links. Unfortunately, it presents the perfect landscape for them to thrive. The paranoia in the healthcare and financial services sectors may be due to recent high-profile breaches and a greater understanding of the power of the data that they hold. Of course, the positive that we can take away from this is the level of awareness and an obvious reluctance to brush off the perceived risk. Cyber security decision makers appear to be going into this recession with their eyes wide open.”
Nick Westall, CTO, CSI Ltd, adds: “While the level of security concern exhibited by cyber security decision makers may be justified, operationalising this mentality across the whole organisation will be one of the biggest factors to tackle this year. Effective cyber hygiene relies on fostering a zero-trust culture which assumes that every user and device accessing a network is a potential threat. To make this happen, involvement across the C-Suite is needed to ensure that cyber security investments are worthwhile and effective, and that security training is implemented at every level.”
For respondents in the healthcare sector, a lack of budget was a top concern (30pc). This is particularly worrying for an industry where the perceived risk is higher.