Chicago-based insurance company Hiscox commissioned a survey of more than 4,100 organizations and found that 7 out of 10 were not prepared for a cyberattack.
This institutional lethargy persists even in the face of steadily rising cyber threats, as highlighted in consultancy Risk Based Security's 2017 Data Breach QuickView Report issued earlier this month. That report tallied up 5,207 breaches, and over 7.8 billion records exposed in 2017, surpassing previous high marks for both by more than 20 percent.
Indeed, some 45 percent of the executives and IT professionals who took the Hiscox poll said their organizations--based in the US, UK, Germany, Spain and the Netherlands--experienced at least one cyberattack in the past year, while two-thirds suffered two or more attacks.
This is the back story to the never-ending parade of high-profile data breaches that hit the daily news cycle with numbing regularity. Equifax, Yahoo, Uber et. al remind us how even large enterprises--companies that spend millions on security--routinely fail at defending their networks and protecting their customers' private information.
The Hiscox study found the costs of cybercrime ranged as high as $25 million for one U.S. incident, and $20 million each for individual attacks in Germany and the UK, respectively. The average cost for all attacks reported by the poll takers: $229,000.
There's no question cybersecurity is a complex, continually evolving challenge. Just as clearly, the substantial collective defenses put up by the business and government sectors--an annual $93 billion global market for cybersecurity products and services--isn't enough.
To be sure, there are innovative technical solutions and best practices standards aplenty. But somehow the much-discussed combination of technology, processes and training, a combination that is known to slow cyberattacks, has not yet taken root in our collective approaches to cybersecurity.
"Despite the criticality of security, it is becoming a world of haves and have-nots," observes Brian NeSmith, CEO of Arctic Wolf Networks, which supplies security services to smaller businesses. "It's a problem that cannot be solved by just buying products because it requires a level of in-depth expertise and dedicated personnel."
On average the 4,100 companies participating in the Hiscox survey reported spending $11.2 million a year on IT, with 10.5 percent of that budget spent on cybersecurity. Smaller firms, in particular organizations with fewer than 250 employees, tended to devote a smaller proportion of their IT budgets to cybersecurity--9.8 percent on average versus 12.2 percent for larger organizations.
If you're not flabbergasted, you should be. First of all, the idea that cybersecurity is a subset of IT is about as respectable as the idea that non-securitized mortgage derivatives are the best way to invest your child's college fund. Cybersecurity should be the starting point, and it should have global oversight with an organization.
Network disruptions and data theft tends to be much more debilitating to small and mid-sized businesses, than to large enterprises with hefty resources. "While their IT budgets are likely more modest, smaller firms need to make sure that an appropriate proportion of this budget is devoted to cybersecurity," says Dan Burke, Hiscox's head of cyber products in the U.S. "There are ways to prepare your business that don't require a significant financial spend."
You can do something even if you own a small business. For starters, get some help crafting and implementing an effective cyber incidence response plan; also, train and encourage your employees to practice cyber hygiene.
While you're at it, look into outsourcing some routine security tasks to a service provider. There are many out there, and service packages are steadily becoming more cost effective for smaller firms.
"Security operations center service providers offer many of the things you need for advanced threat detection and response, replacing the need to build this capability in-house," offers Arctic Wolf Networks's NeSmith. "Depending on your budget and needs, going with a service may be the fastest and most cost-effective way to execute a smarter cybersecurity strategy."
There's no easy answer when it comes to cybersecurity. The Hiscox report is yet another reminder that we remain entrenched in an escalating war of attrition that demands our constant attention. At the moment, and for the immediate future, cyber criminals have the upper hand. This means every consumer, every employee and every company leader must take privacy and security much more seriously.
Here's sound counsel from Hiscox's Burke: "Businesses must have a clearly defined cybersecurity strategy in place. Elements should include a formal budgeting process, well-defined decision structures and processes, and an awareness of changing compliance requirements.
"Businesses should engage a broad range of stakeholders . . . part of this process includes having one or more roles dedicated to cybersecurity with a dedicated support team, if possible, and making sure this person is measuring the business impact of any incidents and implementing security technologies."
Adam Levin is chairman and founder of CyberScout.