The introduction of tough EU data protection laws in May 2018 prompted some companies to bolster their cyber security. However, many companies have experienced an increase in cyber-attacks and higher losses from data breaches, according to recent studies.
Almost one third (32%) of businesses experienced a cyber security attack in the last 12 months, down from 43% the previous year, according to the 2019 Cyber Security Breaches Survey, published by the UK’s Department for Digital, Culture, Media and Sport (DDCMS).
The incidence of cyber attacks was, however, much higher among medium size businesses (60%) and large businesses (61%).
While fewer businesses have identified breaches or attacks, the ones that have are typically experiencing more of them. In addition, the cost of a data breach has risen significantly, according to the DDCMS report, which surveyed over 1,500 UK companies of varying sizes.
Of those businesses that suffered attacks, the median number of breaches rose from four in 2018 to six in 2019. The survey also shows that 48% of attacked businesses identified at least one breach or attack every month.
The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses and other malware, including ransomware.
The average cost of a cyber-attack for a business has increased by more than £1,000 since 2018 to £4,180. The average cost faced by larger businesses is typically much higher at £9,270 for medium size firms and £22,700 for large firms in 2019.
For companies that suffered a breach, 19% said staff had been stopped from carrying out their daily work, while 27% said employees were diverted to deal with an attack.
However, companies often undervalue the true cost and impact of cyber security breaches, according to the report. Indirect costs, long-term costs and intangible costs of breaches, such as lost productivity or reputational damage, tend to be overlooked.
Another study by insurer Hiscox also reported a sharp increase in the cost of cyber-attacks. Hiscox Cyber Readiness Report 2019, which surveyed more than 5,400 organisations across seven countries, found average losses associated with all cyber incidents increased 61% to US$369,000. For large firms cyber-related losses are now on average US$700,000, compared with US$162,000 a year ago.
Hiscox’s report, which surveyed private and public sector organisations in the US, UK, Belgium, France, Germany, Spain and the Netherlands, also recorded an increased intensity of cyber attacks. Three out of five firms (61%) experienced one or more attacks in the past year, up from 45% in the 2018 report.
The study also noted an increase in attacks against small and medium size firms. While larger firms are still the most likely to suffer a cyber-attack, the proportion of small firms reporting an incident was up from 33% to 47%. In contrast, the proportion among medium size firms leapt from 36% to 63%.
Interestingly, Hiscox also found that supply chain incidents are now commonplace. Nearly two-thirds of firms (65%) have experienced cyber related issues in their supply chain in the past year, and just over half (54%) now evaluate the security of their supply chains at least once a quarter or on an ad hoc basis.
The DDCMS survey found encouraging signs that business leaders are taking cyber security more seriously than ever before. For example, the survey found that a number of companies had increased their planning and defences against cyber attacks since 2018.
The number of companies with a written cyber security policy has increased in 2019, 33% said they had such a policy, compared with 27% in 2018. A similar picture emerges with cyber risk assessments - in 2019, 31% said they had carried out a cyber risk assessment in the past 12 months, compared with 24% in 2018.
Another positive trend has been board engagement with cyber risk, although there is still some way to go, according to the report.
The proportion of businesses with a board member dedicated to cyber security has increased by five percentage points since 2018 to 35% this year, and is much higher at 59% for large companies.
More businesses (57% in 2019 compared with 51% in 2018) update their senior management on actions taken around cyber security at least once a quarter. Over the longer term, the proportion of businesses saying they never update senior managers has fallen from 26% in 2016 to 17% in 2019.
The overall reduction in companies experiencing a cyber attack may be the result of tough new data protection laws under the General Data Protection Regulation (GDPR), according to DDCMS. Almost a third (30%) of businesses have made changes to their cyber security policies and processes as a result of the new rules, implemented in May 2018.
However, the reduction could also be down to a change in attacker behaviour, with more attacks focused on a narrower range of businesses, it said.
While the GDPR appears to have positively impacted cyber security, organisations need to think more “holistically” about the issue, the DDCMS said.
The findings suggest that the GDPR has had some unintended consequences and led some organisations to frame cyber security largely in terms of exclusively avoiding personal data breaches.
To Do List
With the rising costs and intensity of attacks, the DDCMS concludes that businesses can no longer ignore the threat of cyber and should make cyber security and risk management a priority. There is more that organisations can do to protect themselves from cyber risks, according to DDCMS, particularly around board level involvement in cyber security, monitoring suppliers and planning incident response.
While more businesses now have a board member with specific responsibility for cyber security, the proportion remains low overall, according to the report.
A similar picture emerges for monitoring suppliers and planning incident response only one in five businesses (18%) require their suppliers to adhere to any cyber security standards, while just 16% have formal cyber security incident management processes in place.
Training is another area highlighted as having a “long way to go” to ensure organisations are better protected. Less than three in 10 (27%) of those companies have trained staff to deal with cyber threats in the last 12 months.
Like DDCMS, Hiscox also highlighted the need for organisations to improve their cyber security. Despite an increased threat from cyber, more companies failed cyber readiness tests, it said. Nearly three-quarters (74%) were ranked as unprepared, while only one achieved "expert" status in 2019, compared with 11% in 2018.
The Hiscox survey also showed growth in cyber insurance. 41% of the companies surveyed said they have taken out cyber insurance in the past year, compared with 33% in 2018; while a further 30% plan to take out cover in the year ahead. More than half of larger firms now have cover, but only 27% of smaller firms are protected, the insurer said.
The DDCMS report found cyber insurance purchasing rose significantly for medium size businesses (up to 31% from 19% in 2018) and large businesses (up to 35% from 24% in 2018). However, just 11% of all businesses have a specific cyber security insurance policy, which goes almost unchanged since 2018.
Companies are of the view that the cyber insurance market has become more developed, with policies appearing to be more accessible than before, according to in-depth interviews with some survey respondents. Some respondents also said that insurance premiums had decreased.
Only 3% of organisations with cyber insurance said they had made a claim. However, a number of organisations said the main drivers for taking up insurance were breach response and crisis management services.
They said these extras help manage the reputational damage from a breach, which was their greatest concern.
Some organisations were also found to be using cyber insurance as a proxy form of accreditation. Having insurance was something they could advertise to their business clients to demonstrate they had undertaken due diligence, the report said.