By now, no firm should be unaware of the risks posed by cyber threats. If the constant warnings from bodies such as the National Cyber Security Centre aren't enough, the almost weekly reports of firms of all sizes falling victim to hacking attacks should keep businesses on a high state of alert.
But are companies actually heeding these warnings and taking the necessary steps to protect themselves from security threats? In many cases, the answer is still no, and some firm's level of readiness is actually getting worse as they fail to react to new and emerging attack patterns.
Number of cyber attacks and losses on the rise
That's the finding of a recent study by insurance provider Hiscox, which polled businesses in Europe and the US for its latest annual Cyber Readiness Report. It revealed the level of attacks is on the rise, with more than three out of five firms (61 per cent) experiencing a cyber incident in the past 12 months.
This was up from just 45 per cent in the 2018 report, while the frequency of attacks is also on the rise. Small and medium-sized firms are also increasingly coming under attack, emphasising that strong security defences should not just be a concern for large enterprises.
Perhaps unsurprisingly, this increase in attack frequency and intensity is also leading to greater financial damage for firms. Among respondents reporting attacks, average losses associated with cyber incidents rose from $229,000 (£176,950) last year to $369,000 – an increase of 61 per cent.
However, there was some good news for UK businesses here, as British-based firms experienced lower losses than average, at $243,000, while the majority of firms felt able to clearly measure the business impact of an attack.
Cyber readiness failing to keep up
Therefore, it may be expected that businesses would be putting a greater focus on preparing for attacks in order to mitigate their risks, but this is not necessarily the case. Indeed, Hiscox's survey found that while average spending on security solutions has increased by almost a quarter (24 per cent) in the last year, this is not reflected in firms' state of readiness.
The study found only one in ten companies (ten per cent) achieved 'expert' status for their cyber readiness this year, using the firm's quantitative model – a slight drop from 11 per cent in 2018. However, nearly three-quarters (74 per cent) were rated as unprepared ‘novices', while there was an especially large drop in the number of larger US and German firms achieving ‘expert’ scores.
In the UK, 72 per cent of firms were rated as novices, but one in five firms admitted to having no defined role within their organisation for cyber security – a higher proportion than any other country in the study, with the exception of the US.
"Firms are less confident in the efficacy of the security measures they have put in place, and in many areas, confidence has been declining ever since our first report in 2017," Hiscox noted, with the firm suggesting this reflects not only the growing intensity of the threat, but also the increasing regulatory demands being placed on them.
Therefore, it's clear there is still a lot of work to do if businesses are to be fully prepared for a cyber security incident. For many firms, it is likely to be a case of when, rather than if, they are targeted by criminals, so taking steps to ensure they are as prepared as possible will be the key to protecting their most precious assets.