News emerged in a new report last week that just 10% of European and US firms are “cyber ready”, despite surging attacks. The study from insurer Hiscox — which spanned the UK, US, Germany, Belgium France, Spain, and the Netherlands — should be something of a wake-up call for IT and cybersecurity leaders. SMEs, in particular, are said to be in the firing line.
Although technical controls certainly play their part in helping to mitigate risk and improve preparedness, the report revealed that cultural changes and a more proactive approach to training are equally important. Perhaps it’s time for the security industry, in general, to take a more holistic approach to threat prevention that’s not so solution-centric.
Attacks soar in 2018
The percentage of firms classed as “experts” in cyber-readiness actually dropped from 11% last year. Yet the threats facing them have never been more pronounced: 61% reported an attack over the past year, up from less than half (45%) the year before. The figure rose even higher in France (67%) and Belgium (71%). The frequency of attacks has also increased, as has their cost: up 61% from $229,000 last year to $369,000 in this year’s report, with medium and large firms bearing most of the financial impact.
According to an FBI report also out last week, total losses from global complaints to the Bureau’s Internet Crime Complaint Center in 2018 reached $2.7bn, with nearly half ($1.3bn) coming from Business Email Compromise attacks. Ransomware losses also surged, from $2.3m to $3.6m, although many more attacks go unreported.“... even if an organisation has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain.” Click To Tweet
As we’ve noted many times before on this blog, the supply chain also continues to represent a major area of risk for organisations. Nearly two-thirds of respondents (65%) to the Hiscox report claimed to have experienced cyber-related issues amongst third parties over the past year. As the National Cyber Security Centre has warned in the past: “It is clear that even if an organisation has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”
Frustratingly, spending on cybersecurity actually rose 24% year-on-year, with two-thirds of respondents to the Hiscox study claiming they will increase this by a further 5% in the year ahead. However, despite the 5,400 firms interviewed for the report spending a staggering $7.9 billion altogether on cybersecurity last year, they remain poorly prepared for a potential attack. It’s clear that spending is perhaps not being directed to the right areas.
Getting buy-in from the top
In fact, the majority of firms appraised in the report are classed as “cyber novices”. Spain (76%), the Netherlands (76%) and France (81%) have a particularly high proportion of these organisations. How exactly are the categories assigned? Well, tellingly, the insurer asked questions of participating organisations not just on technology, processes, and resourcing but also strategy and oversight.
This is where leadership matters. There has to be executive buy-in for cybersecurity programmes or they can struggle to make an impact on the organisation. The advent of the GDPR and NIS Directive in Europe should have helped to drive this kind of personal engagement from the boardroom, but in some cases, it’s still being paid only lip service.
A UK government report out in March, for example, found that in 77% of FTSE 350 firms, board discussion and management of cybersecurity had increased since May 2018. However, on the flip side, only 16% said their board has a comprehensive understanding of the impact of cyber loss or disruption, and less than half claimed to have a dedicated budget for cybersecurity.
Getting a security-first culture of course takes time, and it may only be after several years of GDPR and NIS Directive fines and regulatory scrutiny that boards begin to get the message. But good security shouldn’t be seen as an insurance policy. In reality, it has just as important a role as a driver of digital transformation and growth.
Spear Phishing: Top Threats and Trends
Focus on training
Here are some more key areas from the report that firms could consider to improve their cyber readiness:
- Set a clear strategy set involving multiple stakeholders inside the business
- Install a dedicated head of cyber
- Monitor/audit supply chain and contracts regulatory
- Have processes in place to track, document, and measure impact
- Be willing to learn from and respond quickly to incidents
- Consider cyber insurance
- Raise awareness of cybersecurity among employees, with proactive testing
The latter is particularly important. To an extent, the cybersecurity industry has been guilty from day one of promoting its latest and greatest products as the solution to the latest threats. It’s just the way things work. But for SMBs especially there are many things that could be done without having to invest huge sums in these advanced products. Training is one of them. With the right tools in hand you can run convincing simulations of real-world phishing scenarios to help change behaviours on the frontline of cyber threats.
Turning your employees into a strong first line of defence will not only help to mitigate risk but also build that culture of cyber awareness all organisations should aspire to.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.