How prepared is your organization to tackle today’s sophisticated cyberthreats that are growing in both number and intensity? Modern-day organizations are facing the reality that the consequences of a successful cyberattack extend well beyond financial losses. Despite being susceptible to evolving cybersecurity risks, organizations still struggle to achieve cyber readiness, especially small and midsize businesses (SMBs).
One of the ways businesses equip themselves to combat this growing menace is through cyber insurance coverage. A recent report by Hiscox highlights the level of cyber readiness among businesses, why companies are purchasing cyber insurance and how experts (organizations with a high level of cyber maturity) are dealing with cyberthreats. Read on to learn about the key findings from the report and best practices to win the battle against cybercrime.
The current state of the cybersecurity landscape
Hiscox Ltd. recently released its Cyber Readiness Report 2022, where they surveyed over 5,000 professionals from eight countries: the U.S., the UK, Belgium, France, Germany, the Netherlands, Spain and Ireland. The report paints a picture of the level of cyber readiness among businesses.
As per the report, almost half (48%) of businesses surveyed suffered a cyberattack in the past twelve months, indicating an increased intensity of attacks compared to 2021. Among those attacked, one-in-five companies said their solvency was threatened, increasing bottom-line pressure.
Ransomware attacks continue to rise, with 19% of respondents (16% in 2021) confirming an attack on their business. And two-thirds of ransomware victims said they ended up paying the ransom.
A significant highlight of the report is the increasing attacks on cloud infrastructure. The attacks on cloud workloads may be due to the rapid adoption of the cloud to support remote work.
Figure 1: Cyberattacks: Country-wise comparison (Source: Hiscox)
Perception of cyberthreats among those attacked and not attacked
Seven out of eight countries surveyed revealed that cyberthreats are the No. 1 risk to their business. However, there are exceptions. This perception is primarily influenced by their past experiences — whether or not they have experienced an attack. Over half (55%) of businesses that have previously suffered an attack consider cyberthreats a high risk. On the other hand, only 36% of non-victims classify cyberattacks as a high risk.
The same can be seen with risk exposure as well. Over 40% of businesses that have suffered an attack said their risk exposure has increased, while among firms that did not experience an attack, the figure is just 23%. Experts and insureds have a greater awareness of the threats that loom large. Despite having better cyber defense systems, the majority of experts and insureds (58%) regard their organization’s exposure to cyberattacks as high or very high. That figure is only 32% among novices (organizations with a low level of cyber maturity). Additionally, among those businesses that currently do not have cyber cover and aren’t planning to get one soon, 51% are novices. These perceptions are driven mainly by the fact that they haven’t experienced an attack.
Threat actors shift their focus from enterprise firms to SMBs
An interesting finding from the report is that hackers have widened their scope, shifting focus from enterprise firms to SMBs. What does this mean for SMBs and other smaller businesses? A simple answer is that they can now expect to witness attacks as often as the larger firms do. While the perception is that larger firms are prime targets given their size, the reality is that a company’s size doesn’t matter to hackers if they benefit from it.
The study revealed businesses with an employee count between 250 and 999 saw the average number of cyberattacks climb to 69 from 45 in 2022. For companies with 10 to 49 employees, the average number of attacks rose from 31 to 56. And those under 10 employees saw the number jump to 40 from 11 (an almost fourfold increase in attacks).
While some sectors are more attractive than others to cybercriminals, the report also draws attention to shifting sectoral focus. Energy, transport and distribution verticals, which were top targets in 2021, saw the number of cyberattacks drop significantly in 2022. On the other hand, sectors like travel and leisure (61%), professional services (58%) and retail or wholesale (56%) witnessed a marked rise in attacks.
Common methods hackers used to break in
Threat actors constantly look for vulnerabilities to exploit to penetrate an organization’s network. Since cloud adoption has drastically increased in recent years, it should come as no surprise that hackers are increasingly attacking cloud servers. As per the report, 41% of cyberattacks found their way in through cloud servers, closely followed by business email (40%), corporate servers (37%), remote access servers (31%), employee-owned mobile devices (29%) and Distributed Denial of Service (DDoS) attacks (26%).
Costs of cyberattacks continue to rise
The median cost of a cyberattack increased to $18,000 in 2022, compared to $10,000 in 2021. In Ireland, costs doubled to $16,800, while in the UK, costs more than doubled to $28,100. However, these figures are only the tip of the iceberg as the number of firms that laid off employees after suffering an attack doubled to 11% from 5% in 2021. Furthermore, one-in-five respondents surveyed said that the fine paid to a government agency was nearly twice as much as in 2021. For 21% of respondents, the impact of cyberattacks threatened their organization’s solvency. The percentage of ransomware victims increased to 19% from 16% in 2021. Among the victims, 66% paid the ransom while 53% paid the ransom on multiple occasions. On the bright side, many organizations could recover or rebuild their data from backups on numerous occasions.
Figure 2: Effects of a cyberattack (Source: Hiscox)
Factors influencing cyber insurance adoption
According to the Cyber Readiness Report 2022, 64% of businesses now have cyber insurance as either a standalone policy or as part of another business insurance package. When it comes to cyber insurance adoption, experts (46%) lead the way and have a standalone cyber insurance policy, followed by intermediates (31%) and novices (29%). The percentage of firms with cyber insurance coverage has risen by 6% from 58% compared to two years ago.
Among the study group, nearly four in five businesses said they do not currently have cyber cover and do not plan to get it. This group falls under the “novices” category on the cyber maturity scale. Generally, businesses with cyber insurance are considered to be more cyber-ready. They are more likely to have security systems in place to effectively deal with cyberattacks compared to those that don’t have any cyber coverage.
As per the study, the top three reasons for adopting cyber insurance are:
- To access expertise like crisis management or IT forensics
- Concerns about data security
- To demonstrate an organization’s seriousness about cybersecurity
Given the current cyberthreat landscape, cyber insurance coverage has become a strong consideration for many companies. However, with data breaches and cyberattacks becoming costlier, cybersecurity insurance premiums are getting pricier and coverage more limited. Cyber insurance premiums have risen by 28% on average in Q1 of 2022 compared with Q4 of 2021. With cyber coverage rates continuing to rise and insurance companies offering restricted coverage, cyber insurance adoption will be even tougher for businesses. Moreover, many insurance providers are limiting payouts by creating more claim exceptions and exclusions.
Download our concise checklist to learn about the top five reasons cyber liability insurance companies deny claims and how to prepare to avoid any hassles.
Experts’ approach to cyber readiness
Most companies in the study group that qualify as “experts” are larger firms. It might seem like bigger companies have better resources and deeper pockets for cybersecurity spending; however, that’s not entirely the case. They are well-prepared. They have their cybersecurity response plan in place and clearly defined roles to manage challenges related to cyber-risks. Also, they have the support of the board or management. But more importantly, their strategies align with the U.S. government’s National Institute of Standards and Technology (NIST) cybersecurity framework.
Experts spend time and effort building an incident response plan and testing it regularly to check its viability. They constantly assess their organization’s data and IT infrastructure and train their employees on cybersecurity. Almost half (49%) of the firms surveyed said that the tools they use to back up data are optimized or measured. However, among novices, only 19% said they are prepared to recover IT systems and data should disaster strike.
- Many organizations could recover or rebuild their data from backups on multiple occasions.
- One of the top reasons for adopting cyber insurance is fear of data security.
- Costly data breaches and cyberattacks are making cybersecurity insurance premiums pricier and coverage more limited.
Be cyber-ready by strengthening data protection with Unitrends
As discussed above, threat actors do not discriminate based on the size of a company. Hackers are increasingly targeting small and midsize businesses due to their lack of preparedness and resources. Additionally, rising premium costs make it even more challenging for companies, especially SMBs, to obtain cyber coverage.
During challenging economic times, you need a reliable partner to help maximize the value of your security investments. Improve cyber readiness by reinforcing your organization’s data protection with Unitrends’ Unified Business Continuity and Disaster Recovery (BCDR) solutions. Protect your organization’s data no matter where it lives and achieve 100% confidence in data recovery in the event of a disaster.
Download our comprehensive eBook to learn how to build a cyber assurance framework and how Unitrends Unified BCDR can help your organization stand up to any cyberthreat.