The study revealed how new cyber-attacks have reached a new level of intensity, with 61% of firms reporting an attack in the last year, compared to 45% from the previous year. In the UK, the percentage increased from 40% to 55%, whilst the US increased from 38% to 53%.
The report also revealed that whilst larger firms are most likely to suffer a cyber-attack, small firms, with fewer than 50 employees, reported an increase in cyber-attacks from 33% to 47%. Similarly medium sized firms, employing 50 – 249 people, also reported a sharp increase from 36% to 63%.
The report found that 65% of respondents had experienced at least one cyber-attack due to a weak link in their supply chain, and when asked how often they reviewed the security of their supplier networks, 74% said they did so at least once a quarter or on an ad-hoc basis.
Average losses from breaches soared from $229,000 to $369,000 in the past year, an increase of 61%. Most alarmingly a year ago, the mean cost of the largest single cyber-attack came to $34,000, unlike this year whereby there has been a six-fold increase with a cost of just under $200,000.
Cybersecurity spending went up to 24% in the past year to reach $1.45 million, with two-thirds of respondents planning to increase their cybersecurity budgets by 5% or more in the next year. UK firms were reported to have the lowest cybersecurity budgets with less than $900,000 compared to the average $1.46 million.
Gareth Wharton, Hiscox Cyber CEO, stated how the low UK spending could be a consequence of the large number or small businesses in Britain.
“They may feel like they won’t be targeted, as we tend to only read about large breaches in the press. If they incorrectly feel that they won’t be targeted, they may be less likely to spend on cyber security.”
Wharton stated that “cyber threat has become the unavoidable cost of doing business today.”
Although “the one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing for cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber-insurance policy.”