Cyberattacks continue to rise in both frequency and cost, and businesses are boosting their security budgets to better defend themselves. But more may be required, according to a Tuesday report from Hiscox.
For its annual The Hiscox Cyber Readiness Report 2019, Hiscox surveyed almost 5,400 business professionals across the US, UK, Germany, Belgium, France, Spain, and the Netherlands, all of whom are responsible for their organization’s cybersecurity.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
A full 61% of the respondents said their business was hit by a cyberattack over the past 12 months, compared with 45% over the year before. Specifically, 24% of the respondents reported a virus or worm, and 17% said they were hit by a ransomware attack. The number of respondents who reported a distributed denial-of-service (DDoS) attack rose to 15% from 10% the prior period.
Among the 3,300 firms hit by attacks, around 2,250 of them calculated the cost to their business. Among those, the median cost for losses as a result of these attacks was $360,000, up from $229,000 from the previous 12 months. Further, the median cost of the largest single incident rose to $200,000, up from $34,000.
To combat the increased number of cyberattacks, 72% of the respondents said their companies plan to boost spending on cybersecurity over the coming year. Only 50% said they plan to spend more on technology, down from 57% the prior 12 months. But the percentage of respondents who plan to spend more this year rose in all other areas, including employee training, security consultants and third-party services, cyber security staffing, and security outsourcing.
Beyond increasing spending, though, companies concerned about cyberattacks need to look at their reliance on the supply chain and the cloud, the report noted. A full 65% of respondents said they suffered one or more cyberattacks due to a weak link in their supply chain. Some 74% said they evaluate the security of their supplier networks at least once a quarter or on an ad-hoc basis. But only 8% said they had increased the frequency of their supply chain valuations due to a cyber incident over the past year.
Some 22% of respondents reported problems due to outages from third-party cloud providers, up from 13% over the previous 12 months. Large enterprise companies were more likely to report a cloud-related incident than were smaller organizations.
Only 16% of those surveyed said they have “no defined role for cyber security,” down from 32% the prior 12 months. Most have their own internal head of cyber security or a dedicated team, while 19% said they used an external provider. And only 32% said they changed nothing following a cyber security incident, down from 47% previously.
However, businesses expressed less confidence in their security measures, as Hiscox noted that overall confidence in this area has been shrinking the past couple of years. This downturn likely reflects not just a greater intensity in cyber threats but also stricter guidelines from the GDPR and the New York Department of Financial Services Cyber Security Regulation.
“The message that cyber risk is a real threat to businesses of all sizes is sinking in,” said Meghan Hannes, Cyber Product Head for Hiscox in the US, in a press release. “Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defense.”