Why Most Companies Are Unprepared for a Cyberattack

Why Most Companies Are Unprepared for a Cyberattack

I was looking around at what’s new online, and just discovered the Hiscox 2018 Cyber Readiness Report. This is the second Hiscox Cyber Readiness Report, conducted by Forrester Consulting, and puts the spotlight not only on the financial consequences of individual cyber breaches but also on the enormous cost in terms of investment made to counter the threat.

The report concludes that most companies are unprepared for cyberattacks.

And it breaks down the headlines by country:

The focus on cybercrime is something we will be covering at the Financial Services Club on March 27 when Steven Wilson, head of the Europol cybercrime unit tells us what Europe is doing to protect itself from cybercrime (you can read more on that here). Meantime, just in case you’re thinking of reading it, here’s the summary:

Seven out of ten organisations fail the cyber readiness test

We measured organisations’ cyber security readiness according to the quality of their strategy (broken down into oversight and resourcing) and execution (processes and technology). From this we produced a cyber readiness model that divided respondents into ‘cyber novices’, ‘cyber intermediates’ and ‘cyber experts’. Nearly three-quarters of organisations (73%) fell into the novice category, suggesting they have some way to go before they are cyber-ready. Only 11% qualified as experts.

Keen awareness of the threat

While many firms lack adequate defences, most are keenly aware of the potential impact of a cyber attack. Two-thirds of respondents (66%) rank the cyber threat alongside fraud as the top risks to their business.

Larger firms show the way

The larger organisations in the sample are better prepared: more than one-in-five (21%) of those with 250 employees or more rank as experts. A further 17% qualify as intermediates. US and UK firms generally score better than the rest (13% are experts) while Dutch firms come bottom of the pile (just 7% are experts). Not surprisingly, perhaps, technology, media and telecoms organisations score highly. At the other end of the scale, professional services firms have some catching-up to do.

Smaller firms lack resources

Organisations with fewer than 250 employees devote a smaller proportion of their IT budgets to cyber (9.8% on average versus 12.2% for larger organisations). In accordance with the findings mentioned above, just 7% of smaller firms rank as cyber experts.

You get what you pay for

On average, the organisations in our sample had an IT budget of $11.2 million, of which 10.5% was devoted to cyber security. However, the cyber experts had markedly bigger IT budgets than the novices ($19.8 million on average versus $9.9 million) and devoted a higher proportion to cyber security (12.6% versus 9.9%). Some firms spent a lot more – with 37% devoting between 11% and 25% of their IT budgets to cyber. Financial services firms are the largest spenders on cyber, followed by the pharmaceuticals and healthcare sector and then government entities.

Experts more proactive

What sets the cyber experts apart from the cyber novices? Nine out of ten (89%) have a clearly defined cyber strategy, most (72%) are prepared to make changes after a breach and 97% incorporate security training and awareness throughout the workforce. Seven out of ten (72%) have conducted phishing experiments to gauge employee preparedness and three out of five (60%) say they have cyber insurance.

Evens chance of being targeted

Almost half (45%) of the 4,103 organisations surveyed were hit by at least one cyber attack in the past year and two-thirds of those targeted suffered two or more attacks. Spanish organisations were the most heavily targeted (57% suffered an attack). Financial services, energy, telecoms and government organisations are prime targets for hackers.

Related: Millennials: Are You Cool or History?

Costs range up to $25 million

Taking only those organisations that were targeted, the average cost of cyber crime, aggregating all incidents, to each business over the past year was $229,000. But the average masks some wide variations. For the largest organisations in the report (those with 1,000-plus employees), the average costs ranged between $356,000 in Spain and $1.05 million in the US. Some organisations faced still higher costs – up to $25 million in the US and $20 million in Germany and the UK. For the very smallest (those with fewer than 100 employees), average costs ranged between $24,000 in Spain and $63,000 in Germany.

German firms face costliest incidents

We asked organisations to estimate the cost of their single largest incident. German firms reported the highest average figures with the highest cost for a single incident of $5m. At the other end of the scale, Spanish organisations contained the cost per incident to a maximum of $800,000.

Spending set to rise

Nearly three out of five respondents (59%) plan to increase their cyber security budgets in the year ahead. New technology tops the shopping list despite this being the area where the bulk of firms appear best prepared. The experts lead the way: for example, more than half (55%) plan to increase spending on awareness training compared with only 29% of novices.

Watershed year for cyber insurance? 

The EU’s General Data Protection Regulation (GDPR) comes into force in May. With tough penalties for the loss of personal data, it is expected to provide a boost to European take-up of cyber insurance. The report shows that one-third (33%) of respondents currently have standalone cyber cover while a further quarter (25%) say they plan to take out cover in the coming year. Nearly two out of five (38%) still say they have no plans to take out cover. Most likely to be covered are financial services firms (48%). The report also reveals considerable confusion over the extent to which firms are covered for cyber incidents under their general business policies.


The Hiscox Cyber Readiness Report is compiled from a survey of more than 4,100 executives, departmental heads, IT managers and other key professionals in the UK, US, Germany, Spain and The Netherlands. Drawn from a representative sample of organisations by size and sector, these are the people on the front line of the business battle against cyber crime. While all are involved to a greater or lesser extent in their organisation’s cyber security effort, 45% make the final decision on how their business should respond.

Chris Skinner
Twitter Email

Chris Skinner is one of the most influential and prolific thought leaders on the future of banking, finance and technology. The Financial Brand awarded him best blog and ... Click for full bio

Most Read IRIS Articles of the Week: Feb 19-23

Most Read IRIS Articles of the Week: Feb 19-23

Here’s a look at the Top 11 Most Viewed Articles of the Week on IRIS.xyz, Feb 19-23, 2018

Click the headline to read the full article.  Enjoy!

1. Don’t Get Pinged by the Social Security Earnings Limit

I’d like to introduce you to Peggy. Born in 1956, Peggy will be 62 in 2018. She has worked in retail her whole life, the past twenty-five years spent in management. Peggy divorced from her husband 14 years ago, is still single and has no children. — Dana Anspach

2. We're Back to “Bad News is Good News” and “Good News is Great News”

This week the markets shrugged off last week’s fears and went back to the slow and steady melt up, despite economic news that looked likely to once again rock the boat. — Lenore Elle Hawkins

3. Q1 2018 Factor Views

Themes established in 2017 across a wide range of markets and factors continued to resonate through the fourth quarter. Economic growth was strong and supportive of equity markets across the globe, a range of volatility measures reached all-time lows, and business and consumer sentiment remained elevated. — Yazann Romahi and Garrett Norman

4. A Beneficial Basket of Commodities

Advisors and investors that feel they are hearing more and more about commodities and the corresponding exchange traded products in recent months are right. That is a natural result of dollar weakness and yes, the greenback is floundering again in 2018. — Tom Lydon

5. 3 Trends Shaping the Future of Asset Management

As the industry works to cope with new regulation, wades through an outpouring of new products, learns to satisfy investors’ shifting priorities and manages the active-passive debate, the viability of business units will be questioned, and at times radical measures will be taken. Peter Hopkins

6. 5 Ways Advisors Leave Money on the Table, and What to Do About It

My hope is that this article points out some opportunities for you to make more money and serve your clients at a higher level and that you decide to do something about it. — Bill Bachrach

7. The Market Has Gone Wild! Is It Time to Change Your Investment Strategy?

Whether the market is flying high or taunting your emotions with new lows and some bumpy volatility, here are four things every investor should keep in mind ... — Lauren Klein

8. How to Deepen Client Relations and Capture New Business Using Engaging Content

Why financial advisors NEED to understand much more clearly the power of good digital market. With tools like AdvisorStream, it’s easier than ever to get the content you need to drive leads and referrals today! — Kirk Lowe and Matt Halloran

9. Three Ways The Most Successful Gain Big Attention

How do some firms and ideas go from nowhere to everywhere in a few short months? All of a sudden a restaurant becomes popular, a gas station gains a cult following, or a Broadway show becomes too popular to get a ticket for years. — Maribeth Kuzmeski

10. Who Are the Hottest FinTech Firms and Influencers Around the World?

"Worldwide, $27.4 billion poured into fintech startups in 2017, Accenture reports, up 18% from 2016. With so much in play, it’s not surprising that 22 companies are new on this, the third edition of our list."  — Chris Skinner

11. The New Stock Market Normal Is Not What You Think!

Many sensational headlines have been written the past few weeks about market declines, but two things have increased for sure: the viewership and the ad revenues of financial media organizations — Preston McSwain​​​​​​​

Douglas Heikkinen
Twitter Email

IRIS Co-Founder and Producer of Perspective—a personal look at the industry, and notables who share what they’ve learned, regretted, won, lost and what continues ... Click for full bio