Which of the following is more likely in your organization? A Fire, Theft, or a cybersecurity incident?  According to the latest Hiscox Cyber Readiness Report, a cybersecurity incident leads the threat landscape at 30%, compared to a 2% likelihood of a fire. Viewed another way, the likelihood of a cybersecurity incident against an organization is 15 times greater than that of a fire. The most startling statistic is that most firms still only carry general coverage, rather than a stand-alone cybersecurity insurance policy.

As a cybersecurity professional, the details of an insurance report may not be first on your reading list. Most cybersecurity people await reports by companies that are specific to the cybersecurity industry, such as the Verizon Data Breach Investigations Report (DBIR), Symantec’s Threat Landscape, and others. However, more cybersecurity personnel are looking at the holistic view of the security landscape. The figures provided in a cyber-focused insurance report provide the cost associated with potential threats and can be useful in considering how to allocate the resources of the business and provide leadership with a tangible threat assessment. As has been the advice of many experts, the ability to understand and speak the language of the C-Suite is the best way to get the point of security converted into budgets for a more robust program for a company. Your CEO has probably not even heard of the Verizon DBIR but has definitely had numerous meetings about insurance to protect the organization.

Whilst companies that were part of this report were questioned prior to the coronavirus pandemic, the findings reflect their perspectives in more certain times, the Hiscox report still offers interesting details about how cybersecurity has changed over the last year.  It seems that many organizations are becoming more cyber aware, resulting in fewer attacks, however, the costs are much higher for that smaller number of attack victims.  For example, while only 39% of firms reported an attack in 2020, compared to a 61% attack account in 2019, the losses increased by over $50,000.  The sum of all reported attacks exceeded 1.8 billion dollars, which is over half a billion more than reported in 2019.

Some trends seem to continue year over year, such as the fact that large companies are still targeted more frequently than smaller companies. However, this does not mean that smaller companies are not attractive targets, as they suffered attacks as well. In part, it is assumed that they are vulnerable because they took no measures to protect themselves. A more “worrying” statistic is that many of the largest companies were unaware of being targeted at all. It is reasonable to conclude that if the largest companies with more than 1,000 employees are unaware of attack attempts, smaller companies are probably in a much worse position to not only anticipate, but recover from such incidents.

The big word in cybersecurity over the last few years has been “ransomware”.  It is shocking to note that, according to the Hiscox report, ransomware came in third on the list of most common causes of breaches.  Virus and worm activity, followed by business email compromise were the top two events.  Considering how the new model of ransomware is to steal data and hold it hostage, this is still not the most common method of attack.  Perhaps next year’s report will show a different trend, moving ransomware higher on the list.

The best news from the report is that most firms are taking cybersecurity very seriously, and this has resulted in more preparation, as well as resilience. Many medium, large, and enterprise companies have increased spending and staff numbers to become more resilient and prepared in the event of a cybersecurity incident. However, smaller companies which constitutes a majority of all respondents, continue to lag in preparation and resilience.  But not all businesses can have an extensive in-house team and virtual resourcing models can provide an essential pathway to becoming more cyber secure. Nothing is better than being able to access an enhanced team, especially if you find yourself in the midst of a cyber-event.

You can understand your current risk exposure by taking our Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies avoid hacks and minimize business impact during cybersecurity events. You will receive a copy of the risk baseline report along with a cybersecurity maturity score, based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.

One of the hardest parts of a self-assessment is the candor required for an honest appraisal.  When reviewing some areas of the risk assessment tool, some of the responses can be very difficult to face.  For example, how thoroughly could you respond to topics surrounding these areas:

  • Security Awareness and Training
  • Asset Baselines, Hardening and Change Management
  • Vulnerability Management
  • Incident Management and Review
  • Information Management and Protection
  • Access and Account Management

Similarly, how comprehensive is your data classification program?  Is your network truly segmented?  Not only should these questions cause honest reflection, but they should also encourage deeper conversations.

Many assessment questions are reminiscent of a security audit.  Can your cybersecurity plans and controls withstand the scrutiny of an audit?  With that in mind, one recurring wish of penetration testers and red teamers is that the client not make the engagement so easy.  Most real-world exercises result in fairly quick success for the attacking teams infiltrating a network.  Can your plans stand up to an actual in-depth exercise?

As the HISCOX report shows, Cybersecurity risk is real. While industries cannot protect against all attacks, a risk-based approach based on vulnerability assessments and controls to measure and manage security health is the way to mitigate business-critical risks. To discover more about how ITEGRITI can help protect your business take a look at our key services.