In seven out of eight countries, cyberattacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cybersecurity professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.
Cyberattacks Are a Bigger Concern for US Businesses Than the "Great Reshuffle"
According to the report, IT pros in US businesses are more worried about cyberattacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyberattacks. Approximately half of all US businesses (47%) suffered an attack in the past year.
Remote work has caused many smaller organizations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organizations more vulnerable to cybercrime.
COVID Has Caused Businesses to Double Their IT Spending
Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Alannah Paul, cyber product head for Hiscox in the US, said in a statement. "Remote working provided a year-long Christmas for cybercriminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cybersecurity."
The Costs Keep Rising
It may come as no surprise that as more organizations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyberattack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cybercriminals — was a cloud-based corporate server.
However, in terms of attack costs, the report reveals major regional disparities. While one organization in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.
US Companies Lead in Cyber Maturity but Are More Likely to Pay a Ransom
The US recorded a "cyber maturity" score of 3.05 — the highest among the countries ranked — compared with the average of 2.94. Still, US companies were the most likely to pay a ransom to recover their stolen data. Eighty-four percent of American companies that suffered a ransomware attack paid up.
On the other hand, Hiscox reported that the median cost of total ransoms paid is down by 20%, and recovery costs have nearly halved. More firms got their data back or succeeded in restoring it. Larger organizations, with 1,000 or more employees, are more likely to have recovered their data (68% compared with 59% on average) and are far less likely to have had their data exposed (20% compared with 29% on average).
While cybercriminals have always preferred to go after high-value, high-profile companies, they're starting to move lower down the food chain. According to the report, firms with revenues of $100,000 to $500,000 can now look forward to as many cyberattacks as firms that earn $1 million to $9 million annually. Regardless of size, no one is immune. Doing the basics well is vital, and relatively low cost, especially when set against the cost of managing a wide-ranging attack and the outage that comes along with it.
Increasing awareness of cyber threats is a positive signal, and a step into the right direction. Smaller organizations aren't planning to — and probably can't — cover quite as many bases as their larger counterparts. But they're not far behind. For instance, 44% of the smaller firms included in the Hiscox report said they plan to regularly simulate a cyberattack to gauge their company's incident response plan, compared with 58% of the big firms. Not bad.
On the other hand, the number of organizations reporting attacks has risen, and so has the severity of the attacks. The scale of the challenge is nothing to sneeze at. As such, all companies, large and small, must implement a carefully structured approach to effectively and successfully combat cyber threats.