Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

research

NCSC details key wins in cyber security war

960 640 Stuart O'Brien

A scam to defraud thousands of UK citizens using a fake email address spoofing a UK airport was one of a wide range of cyber attacks successfully prevented by the National Cyber Security Centre (NCSC) in the last 12 months.

Details of the criminal campaign are just one case study of many in Active Cyber Defence – The Second Year, a comprehensive analysis of the NCSC’s programme to protect the UK from cyber attacks.

The thwarting of the airport scam was one example in 2018 of how ACD protects the public.

The incident occurred last August when criminals tried to send in excess of 200,000 emails purporting to be from a UK airport and using a non-existent gov.uk address in a bid to defraud people.

However, the emails never reached the intended recipients’ inboxes because the NCSC’s ACD system automatically detected the suspicious domain name and the recipient’s mail providers never delivered the spoof messages. The real email account used by the criminals to communicate with victims was also taken down.

In addition, a combination of ACD services has helped HMRC’s own efforts in reducing the criminal use of their brand. HMRC was the 16th most phished brand globally in 2016, but by the end of 2018 it was 146th in the world.

Dr Ian Levy, the NCSC’s Technical Director and author of the ACD report, said: “These are just two examples of the value of ACD – they protected thousands of UK citizens and further reduced the criminal utility of UK brands. Concerted effort can dissuade criminals and protect UK citizens.

“While this and other successes are encouraging, we know there is more to do, and we would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that together we can further protect UK citizens.

“This second comprehensive analysis we have undertaken of the programme shows that this bold approach to preventing cyber attacks is continuing to deliver for the British public.”

Introduced by the NCSC in 2016, ACD is an interventionist approach designed to stop cyber attacks from ever happening. It includes the programmes Web Check, DMARC, Public Sector DNS and a takedown service.

The ACD technology, which is free at the point of use, intends to protect the majority of the UK from the majority of the harm from the majority of the attacks the majority of the time.

Other key findings for 2018 from the second ACD report include:

  • In 2018 the NCSC took down 22,133 phishing campaigns hosted in UK delegated IP space, totalling 142,203 individual attacks;
  • 14,124 UK government-related phishing sites were removed;
  • Thanks to ACD the number of phishing campaigns against HMRC continues to fall dramatically – with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018. These figures relate to 16,064 spoof sites in 2017 and 6,752 sites in 2018;
  • The total number of takedowns of fraudulent websites was 192,256, and across 2018, with 64% of them down in 24 hours;
  • The number of individual web checks run has increased almost 100-fold, and we issued a total of 111,853 advisories direct to users in 2018.

Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office David Lidington said: “The UK is safer since the launch of our cyber strategy in 2016. Over the last three years, and backed by a £1.9 billion investment, we have revolutionised the UK’s fight against cyber threats as part of an ambitious programme of action.

“The statistics and examples in this report speak for themselves. They outline the tangible impact that Active Cyber Defence is having, and how it is a key building block in improving cyber security in the UK now, and in the future.”

The new report also looks to the future of ACD, highlighting a number of areas in development. These include:

  • The work between the NCSC and Action Fraud to design and build a new automated system which allows the public to report suspicious emails easily. The NCSC aims to launch this system to the public later in 2019;
  • The development of the NCSC Internet Weather Centre, which will aim to draw on multiple data sources to allow us to really understand the digital landscape of the UK;
  • We’ll explore developing an Infrastructure Check service: a web-based tool to help public sector and critical national infrastructure providers scan their internet-connected infrastructure for vulnerabilities;
  • NCSC researchers have begun exploring additional ways to use the data created as part of the normal operation of the public sector protective DNS service to help our users better understand and protect the technologies in use on their networks.

You can read the full 2019 report here.

Rob Norris, VP Enterprise and Cyber Security, Fujitsu, said: “Cybersecurity challenges aren’t slowing down and this annual report by GCHQ’s National Cyber Security Centre illustrates the magnitude of the problem. Cybercriminals today are creative and equipped with a multitude of tools helping them see their attacks through, making it vital for all organisations to think how they can safeguard their data and business assets.

“Unfortunately one of the simplest methods of stealing sensitive information is through a basic email phishing campaign, as proved by the fact that NCSC stopped 140,000 phishing attacks last year alone. This is partially because organisations still rely heavily on email to communicate both internally and externally, but also because of the human factor. Human behaviour is cited as the biggest challenge in email security, therefore it is imperative that businesses prioritise vigilance and awareness through education and training. 

“I would advise that some of the things we can do to identify suspected email security threats are hovering over the email hyperlinks before clicking to see the web address; blocking executable files and emails with large attachments; being mindful of password reset emails; and using a VPN when working remotely or using public WiFi. In today’s digital world, no one is immune from data theft, and being vigilant, both as an employee and as a consumer, is paramount.”

UK businesses subjected to one cyber attack every minute in 1Q19

960 640 Stuart O'Brien

UK businesses were subjected to 119,659 internet-borne cyber attacks each, on average, in the first quarter of 2019, according to analysis by Beaming.

This rate of attack, which equates to one every minute, was more than double that experienced in the first three months of 2018, when companies were attacked online 53,981 times on average.

Between January and March 2019, Beaming’s cyber security analysts identified 442,091 unique IP addresses that were being used to launch cyber attacks over the internet on UK businesses.

While 51,004 of these could be traced to locations in China and a large amount of attack activity continued to originate in Brazil (32,386) and Russia (31,131), there was also a threefold increase in the number of IP addresses in Egypt (36,282) used to attack UK businesses in the first three months of the year.

Remotely controlled IoT applications and file sharing services were the most likely targets for online cyber criminals, attracting 201 and 114 attacks per day respectively between January and March.

Sonia Blizzard, managing director of Beaming, said: “Cyber attacks continue to be a clear and present danger to UK businesses and the IT infrastructure they rely on. Business leaders should be wary, the rate of attack has been at historically high levels since October last year. Since we started tracking cyber attack activity just over three years ago we’ve come to expect that businesses will be attacked around 20,000 times a month on average. At the moment we are seeing twice that level of malicious activity online.”

“While there is plenty that we can do at a network level to minimise the threat of online attacks, businesses need to take cyber security seriously, educate employees and put in place security measures such as managed firewalls to ensure they don’t expose themselves to undue risk.”

Skills shortage and 5G fears at European data centres

150 150 Stuart O'Brien

Continuing unprecedented demand for new datacentres, fears around the shortage of skilled professionals, concerns about the future disruption of 5G, and the limited impact of Brexit are some of the key findings from the latest industry survey from Business Critical Solutions (BCS).

The Summer Report, now in its 10th year, is undertaken by independent research house IX Consulting, who capture the views of over 300 senior datacentre professionals across Europe, including owners, operators, developers, consultants and end users. It is commissioned by BCS, a specialist services provider to the digital infrastructure industry. 

The report highlights the rising demand for datacentres with almost two thirds of users exceeding 80% of their capacity today, 70% having increased capacity in the last six months and almost 60% planning increase capacity next year.

This demand is currently being driven by cloud computing with over three quarters of respondents identifying 5G and Artificial Intelligence (AI) as disruptors for the future.

With industry predictions that edge computing will have 10 times the impact of cloud computing in the future, half of respondents believe it will be the biggest driver of new datacentres.

However, the survey found that the market remains confident that supply can be maintained, with over 90% of developers stating they have expanded their datacentre portfolio in the last six months.

With regards to supply, there are concerns that a shortage of sufficiently qualified professionals at the design and build stages will cause a bottle neck, with 64% of datacentre users and experts believing there is a lack of skilled design resource in the UK. AI and Machine Learning may help to mitigate these issues with nearly two thirds of respondents confident that datacentres will utilise these to simplify operations and drive efficiency.

The political uncertainty around Brexit continues to impact the sector with 78% of respondents believing that it will create an increase in demand for UK-based datacentres. However, the overall feeling was that the fundamentals underpinning the demand for datacentre space, such as the continued proliferation of technology-led services, outweighs these concerns and the European datacentre market will overcome any difficulties that occur.

Commenting on the report, James Hart, CEO at BCS, said: “As always this report makes for fascinating reading and I was encouraged by the overwhelming positive sentiment to forecast growth and the limited impact of Brexit. The fact that half of our respondents believe that edge computing will be the biggest driver of new datacentres tallies with our own convictions. We believe that the edge of the network will continue to be at the epicentre of innovation in the datacentre space and we are seeing a strong increase in the number of clients coming to us for help with the development of their edge strategy and rollouts.”

The full report can be downloaded here.

Image by Jorge Guillen from Pixabay

The Rising Email Threat: Are instant messaging tools the answer?

960 640 Guest Post

By Barracuda Networks

At Barracuda we believe two heads are better than one. Following that logic, we can’t argue the value of the opportunity to hear from our peers on industry trends. We recently discovered through such means that, for the channel, email security is its biggest focus in 2019, as partners are increasingly helping their customers fight the battle against email attacks.

This got us thinking: how do end users view email security? And does it match with their channel counterparts? Are they too prioritising it over the next 12 months?

To answer our question, we quizzed 280 high-level decision makers across different industries throughout EMEA on their email security measures, where it falls on their ever-changing priority list, and ultimately how equipped they are for the inevitable attack.

Attacks are going up, up, up 

The results pointed to an industry already aware of – and often affected by – the rising new wave of email threats. Of the 280 decision makers polled, a majority (87%) predicted email threats to increase in the coming year. Perhaps unsurprisingly, the majority (75%) also said they had witnessed a steady increase in email attacks over the past three years against their own organisation. 

Breaking those attacks down, in the last year, almost half (47%) were attacked by ransomware, 31% were victim to a business email compromise attack, and a huge 75% admitted to having been hit with brand impersonation. This final statistic gives credence to our recent spear phishing report, which found that 83% of all the email attacks we analysed focused on brand impersonation. Clearly the criminal’s favourite choice, and for good reason.

Email remains the weakest link

However, regardless of this awareness, many organisations admit to being vastly unprepared when it comes to email security. Despite email being used since the 1990s, a staggering 94% admitted that email is still the most vulnerable part of organisations’ security postures. 

Unsurprisingly, finance departments seem to experience the most attacks, with 57% identifying it as the most targeted department. What was surprising was the rise in customer support attacks; a not insignificant 32% identified this as their most attacked department in what could indicate a new emerging trend for would-be attackers.

Without proper employee training, these attacks will continue to succeed. However, training is still hugely lacking across most organisations we spoke to, with the most popular answer (29%) being from respondents who receive it just once a year. Shockingly, 7% stated they’d either never had training or that they weren’t sure.

The lack of training is clearly leaving employees either confused or unaware of security protocol, as over half (56%) stated that some employees do not adhere to security policies. Of those, 40% said their employees used a ‘workaround’ to do so, perhaps referring to shadow IT solutions and the issues they continue to cause in enterprise IT environments. Both of these issues could be solved by regular and in-depth employee security training.

Not all doom and gloom

That being said, we’d be amiss to ignore those taking measures to reduce email threats. For the 38% whose security budgets are increasing next year, we’d hope security awareness training will play a key role in where the funds will be spent – after all, regardless of whether you have the latest technology, your employees are still the last line of defence. 

However, with 62% of security budgets to either stay the same or decrease over the next year, it seems that organisations are taking to other ways to try and reduce the rising email threat. Over a third (36%) are implementing instant messaging applications such as Slack or Yammer, to reduce email traffic.

This approach comes with a warning from us: while we haven’t yet seen attacks using messaging platforms such as Slack, this may well change in the future and doesn’t necessarily mean that these platforms are immune to attacks. Any organisation going down this route should do so with care, as if we know anything about cyber attackers, it’s that they’re always trying new ways to catch their victims out.

Interestingly, those companies using instant messaging tools are more likely to use Office 365 (78%), compared to an average of 56% across the rest of the study. They were also slightly more likely to pinpoint email as the weakest link (97%) versus 92%. With that in mind, security should be front of mind in order to ensure Office 365 environments are fully protected in the move away from Exchange.

In the short term, while a shift away from email to communications tools such as Slack might be tempting in order to temporarily ease the email burden, it might not work out in the long run, as we wouldn’t be surprised if cyber attackers just changed their tactics in response. In the longer term, the right combination of technology and security awareness training is the key to email attack protection. Attacks will always increase in sophistication, but as long as you stay ahead of the game, it is possible to keep the bad guys out. After all, even at 30 years old, email attacks are still proving profitable for cyber criminals, so they won’t stop any time soon… 

Image by rawpixel from Pixabay

More than half of companies have over 1,000 exposed sensitive files

960 640 Guest Post

By Matt Lock (pictured), Director of Sales Engineers UK, Varonis

All an attacker needs to steal your valuable data is access.

Unfortunately, many companies unknowingly give attackers access to their critical data. Personal identifying information on employees and customers, intellectual property, and more can easily make their way from secured systems to unprotected files and emails. 

To make matters worse, companies don’t have time to update global access groups, fail to archive old data, and skip monitoring who has access to what information. Once attackers slip through the cracks, they — and corrupt insiders alike — have the access they need to steal your data.

To shed light on the state of overexposed data, we analysed a random sample of 785 Data Risk Assessments, including more than 54 billion files. The results, available in the report Data Gets Personal: 2019 Global Data Risk Report from the Varonis Data Lab reveal that companies are failing to shore up their sensitive data. 

Some key findings from the report include:

  • Every employee, on average, can access 17 million files.
  • More than half (53%)of companies had at least 1,000 sensitive files open to all employees. 
  • Over one in five (22%) of all folders were accessible, on average, to every employee. 
  • 38% of users had passwords that never expire, up from 10% last year. 
  • Six in 10 companies had over 1,000 enabled, but stale, “ghost” users — accounts belonging to former employees that can still access your network.
  • Financial services firms had the most exposed sensitive files, with an average of 3,791 exposed, sensitive files per TB.
  • Retail organisations had the lowest number of exposed sensitive files, with an average of 858 exposed, sensitive files per TB.

Despitedire warnings of heavy fines under the GDPR and the steady stream of breaches and attacks in the news, companies are not prioritising their data. Take action with a data-centric security approach to ensure you are not giving malicious insiders and external attackers an all-access pass to your data. 

Ramnit Trojan resumes attacks on European financial institutions

960 640 Stuart O'Brien

The Ramnit banking Trojan has returned to its old hunting ground after recent forays into the e-commerce space,

The discovery follows analysis by F5 Labs and F5’s EMEA-based F5 Security Operations Center (SOC) examining active Ramnit banking Trojan Malware configurations in February and March 2019.

All signs indicate that Ramnit’s authors are —once again—largely targeting financial services websites to coincide with Tax return activity, primarily in Italy.

Ramnit was previously hitting the headlines during the 2018 holiday season for shifting its attack focus to US e-commerce sites1.

In the most recent studied Ramnit sample active in March this year, the Trojan’s authors were primarily focused on financial services and financial tech sites in Italy (40% of all attacks). 9% of attacks were aimed at the UK and 8% at France2. Overall, 70% of all Ramnit targets in March were European, 27% American and 3% were located across the rest of the world3.

Interestingly, while social networking sites made up a smaller portion of targets observed in February and March, some of the biggest social networking platforms in the world were still under fire, including Twitter, Facebook, Tumblr, and YouTube. 

In other notable developments, F5 Labs was able to discover how this March’s Ramnit configurations are continually adapting, including scaling web injection tactics4 to attack websites5. An interesting innovation in this respect entailed going after targets with no link to a specific company or website.

Instead, several words in French, Italian, and English were added to the mix in the hope of catching random websites. Along with the simple word targets, Ramnit also included the name of an Italian Opera and a few misspelled domain names. 

“Ramnit is a persistent banking Trojan that first emerged in 2010 as a less sophisticated form of a self-replicating worm. Today, both its tactics and targets have evolved to include many other industries. It is highly adaptable, as we can see with this recent shift back to the financial sector, as well as its authors’ new attempt to expand the attack surface,” said Roy Moshailov, head of security and malware research, F5 Networks.

“It is critical for banks and financial institutions to implement web fraud protection solutions to protect their customers and to help ease the burden of fraud expenses—especially banks that are actively being targeted. Other industries also need to be aware of attackers’ increasingly clever techniques so they can take similar precautions. The main thing is not to be complacent. Because Trojan malware is typically installed through phishing or malicious advertising, it’s also vital that all organisations to provide security awareness training to employees and clients.”

Image by dawnfu from Pixabay

Cybersecurity’s biggest asset: Why use the cloud?

960 640 Guest Post

The cloud is one of those hot buzzwords that gets thrown around a lot both in the tech world and in our daily lives.

No longer reserved for IT departments alone, the cloud has become something that we depend upon greatly, especially in the way companies go about their business. And it’s about to become even more important.

In fact research shows that companies are looking to drastically increase their investment in the cloud in the coming years. Morphean recently conducted an independent survey of more than 1500 IT decision makers across Europe to discover their views on cloud services. The survey reported:

  • 78% expect their spending on the cloud to increase in the next two to five years
  • 47% said their internal data would be cloud processed within the same time frame
  • 45% said they would definitely consider migrating their physical security systems, such as video surveillance, to the cloud

There’s no doubt that the cloud is becoming a more important part of everyday business dealings, but some people still have reservations about the safety of this storage system, and whether or not it is worth it. We believe it is, and let us tell you why. 

But what exactly is the cloud?

Short for ‘cloud computing’, the cloud is essentially a terrestrial home for your data. So instead of being stored on the computer in front of you, it’s stored somewhere else, or in multiple places, and it is up to a network of servers to take you to it.

Some everyday examples you may recognise include the Apple iCloud, Dropbox, Google Drive, Microsoft OneDrive, and even Netflix.

Is the cloud the future of cybersecurity?

Unfortunately, the cloud has received some negative press in the last few years in regards to security and safety. In fact, according to the Morphean survey, 45% of people cited security risks as being their biggest obstacle to instigating a full move across to the cloud. 

The only way to truly protect your information is to lock it up underground, but you can rest assured that the cloud is far safer than information stored on a local device. Cloud computing services have more complicated security methods in place than the average computer owner can come up with. Any wannabe hackers would then have to get past the cloud system’s first line of defence; encryption.

Encryption is the practice of using complex algorithms to protect your data. In order to get past these algorithms, the hackers would need something called an encryption key. 

But it’s not all down to these intricate and convoluted systems. In fact one of the biggest threats to cloud security is the barriers set by individual people. In other words, easy-to-guess password and security questions. 

Above we talked about negative press aimed at the cloud over the past few years, most notably the infamous Apple hack where celebrities had photos stolen and leaked. The media reported that the cloud had been hacked, which led to a drop in public confidence and has no doubt contributed to people’s existing fears. In reality the cloud itself wasn’t hacked, but rather the accounts of individuals who used the cloud to store their data.  

The truth is that the cloud is incredibly safe and secure, but it’s up to individual users to do their part. That means choosing strong passwords by adding letters, numbers and symbols, using different passwords for different accounts, and avoiding using passwords that relate to your personal life.

But if that’s not enough to convince you of the cloud’s excellent security systems, did you know that online retailing giant Amazon runs its entire business off of its own cloud service, AWS? 

Other benefits of using the cloud

It’s not only the increased security that comes along when you start using the cloud. Here’s a few more that you can expect for your business.

Continuity

No matter what kind of industry you are in, having a continuity plan in place is vital for protecting your sensitive data and systems. Disasters can strike at any time and for a whole multitude of reasons, ranging from the weather and natural disasters to power failures. By having your information stored off-site in the cloud, you can rest assured that it is backed up and protected in a secure and safe location. Even if you have to move office, you will be able to access and download your data from any location with internet, therefore minimising your downtime and avoiding loss of productivity.

Working flexibility

The world is getting smaller. Not literally of course but modern technology is drastically reducing businesses’ needs for a physical office with staff present 100% of the time. The cloud helps to make this even more possible by granting flexibility in staff’s working practices. Once employees are able to access their work from home, on their commute or even on holiday – anywhere with an internet connection – suddenly the whole world is your office.

Scalability

When it’s time to scale your business up, purchasing and installing upgrades to your storage needs can be both expensive and incredibly time consuming. But when you work with the cloud, everything can be done quickly to suit your exact needs. Whoever provides your cloud computer services will be able to handle all upgrades for you, leaving you free to get on with the important task of running your business.

It’s natural for any business owner to be concerned about the safety and security of their important data. Your business is your baby, and you of course want to protect it. The cloud is undoubtedly the best option and as research shows, more and more businesses will be placing their trust in this extraordinary technology, for more than its safety benefits, to further their growth and secure a strong future.

Image by Patricia Alexandre from Pixabay

Survey reveals increasing IT investment in containers

960 640 Stuart O'Brien

87 percent of IT professionals are now running container technologies, with 90 percent of those running in production and 7 in 10 running at least 40 percent of their application portfolio in containers.

That’s up considerably from two years ago, when just 67 percent of teams were running container technologies in production, according to the 2019 Annual Container Adoption Survey from Portworx and Aqua Security.

The report features insights from over 500 IT professionals across a variety of industries and company sizes. The survey, conducted in April and May, asked questions about the state of container usage, tooling, environments and barriers to adoption, to get a snapshot of the container market landscape today and its evolution over time.

Yet despite their pervasiveness, the report highlights that containers aren’t without hurdles: when asked to name their top challenges to container adoption, respondents most frequently cited security (51%), data management (40%) and cross-cloud/multiple cloud support (36%). 

Other Key Findings:

  • Organisations are making bigger investments in containers. In 2019, nearly one in five organisations is spending over $1 million annually on containers (17%). Compare this to just four percent in 2016.
  • Data security tops the list of security challenges with a super majority of respondents (61%) listing this as their top security challenges, followed by vulnerability management (43%) and runtime protection (34%).
  • For the third year in a row, increasing developer speed and efficiency is the primary driver of container adoption with 37 percent of respondents listing it as the top benefit.
  • When asked which team bears the main responsibility for container security, most (31%) named the organisation’s security team, with a joint responsibility or DevSecOps in second place (24%). However, respondents’ own roles influenced their answer, with 47% of DevOps respondents naming DevSecOps as the main owner and 54% of Security respondents named Security as the main owner. 

Download the full 2019 Portworx & Aqua Security Container Adoption Survey Report here.

Digital skills shortages ‘costing UK £63bn a year’

960 640 Stuart O'Brien

A lack of technical expertise has fuelled skills shortages across the UK for the last two decades.

That is according to comparative analysis of the professional jobs market by The Association of Professional Staffing Companies (APSCo).

A 1999 report from University College London said almost half (47%) of all ‘skill-shortage vacancies’ that year could be attributed to a lack of technical expertise.

For ‘associate professional and technical’ roles, the need for ‘advanced IT’ skills was responsible for 31% of vacancies, while a lack of ‘other technical and practical skills’ were responsible for a further 49% of all open roles.

A separate report published the same year by Computer Weekly revealed that C++ developers were the most in-demand professionals with Java the second most sought-after skill in the IT recruitment market.

Now, research from The Edge Foundation suggests that around half of all employers (51%) have been forced to leave a role open because there are no suitable candidates available, and that tech job vacancies are costing the UK economy £63 billion a year.

LinkedIn data indicates that cloud and distributed computing is the most valued skill among employers, with user interface design, SEO/SEM marketing and mobile development also featuring in the top 10.

Commenting on the analysis, Ann Swain, Chief Executive of APSCo, said: “While the specific skills that employers are seeking have changed dramatically over the past two decades, the fact that talent gaps continue to be aligned with technical competencies suggests that we need to do more to boost Britain’s digital capabilities.

“Our members have long reported shortages of talent across the IT and digital fields. For this reason, it is crucial that we ensure that we retain access to the STEM professionals that businesses need in the short term – through maintaining access to global talent and retaining our flexible labour market.

“However, perhaps more importantly, we must pipeline the calibre and volume of skills we need for the future so that we break free from this perpetual skills shortage. As this data indicates, for the past 20 years we have been playing catch-up – and we must break the cycle if individual businesses, and the wider UK economy, are to fulfil their full potential.”

Cyber attacks rise as readiness levels fall

960 640 Stuart O'Brien

A sharp increase in the number and cost of cyber attacks is the key finding in a study of more than 5,400 organisations across seven countries, commissioned by insurer Hiscox.

More than three out of five firms (61 per cent) report one or more attacks in the past year, yet the proportion achieving top scores for their cyber security readiness is marginally down year-on-year.

The Hiscox Cyber Readiness Report 2019 surveyed a representative sample of private and public sector organisations in the US, UK, Belgium, France, Germany, Spain and the Netherlands.

Each firm was assessed on its cyber security strategy and execution, and ranked accordingly. Only 10 per cent achieved high enough marks in both areas to qualify as cyber security ‘experts.’

Among the key findings:

  •    Cyber attacks reach a new intensity:More than three in every five firms (61 per cent) experienced a cyber incident in the past year, up from 45 per cent in the 2018 report. The frequency of attacks also increased. Belgian firms were the most heavily targeted. 
  •    More small and medium-sized firms attacked this year:While larger firms are still the most likely to suffer a cyber attack, the proportion of small firms (defined as those with less than 50 employees) reporting an incident is up from 33 per cent to 47 per cent. Among medium-sized firms (50 to 249 employees) the proportion has leapt from 36 per cent to 63per cent.
  •    Cyber losses soar:Among firms reporting attacks, average losses associated with all cyber incidents have risen from $229,000 last year to $369,000 – an increase of 61 per cent. For large firms with between 250 and 999 employees cyber-related losses now top $700,000 on average compared with $162,000 a year ago. German firms suffered the most, with one reporting a cost for all incidents of $48 million.
  •    More firms fail cyber readiness test:Using a quantitative model to assess firms for their cyber readiness, only one in ten (10 per cent) achieved ‘expert’ status this year, slightly down from 11 per cent in 2018. Nearly three-quarters (74 per cent) ranked as unprepared ‘novices’. There was a sharp drop in the number of larger US and German firms achieving ‘expert’ scores.
  •    Cyber security spending up by a quarter:The average spend on cyber security is now $1.45 million, up 24 per cent on 2018, and the pace of spending is accelerating. The total spend by the 5,400 firms in the survey comes to $7.9 billion. Two-thirds of respondents (67 per cent) plan to increase their cyber security budgets by 5% or more in the year ahead.

Gareth Wharton, Hiscox Cyber CEO, said: “This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable. 

“The cyber threat has become the unavoidable cost of doing business today.  

“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.”

The study also shows:

  •    Wide disparity in readiness scores: Overall, US, German and Belgian firms score highest on the cyber readiness model, while more than four-fifths of French firms (81 per cent) are in the ‘novice’ category. Along with the Netherlands, France has the smallest proportion of large and enterprise firms that rank as ‘experts’, at 9per cent.
  •    Cost figures skewed by large incidents: Among firms that were targeted by hackers, there has been a sharp rise in the cost of the biggest single incident reported in the past year. The mean cost has jumped from $34,000 to a fraction under $200,000. 
  •    Supply chain incidents now commonplace: Nearly two-thirds of firms (65 per cent) have experienced cyber-related issues in their supply chain in the past year. Worst affected are technology, media and telecoms (TMT) and transport firms. The majority of firms (54 per cent) now evaluate the security of their supply chains at least once a quarter or on an ad hoc basis.
  •    Reasons to be optimistic: The proportion of firms with no defined role for cyber security has halved in the past year – from 32 per cent to 16 per cent – and there has been a marked fall in the number of respondents saying they changed nothing following a cyber incident (from 47 per cent to 32 per cent). New regulation has also prompted action, with 84 per cent of Continental European firms saying they have made changes following the advent of the General Data Protection Regulation (GDPR). The figure for UK firms is 80 per cent.
  •    Rising uptake of cyber insurance: More than two out of five firms (41 per cent) say they have taken out cyber cover in the past year (up from 33 per cent in 2018). A further 30 per cent plan to but only 27 per cent of small firms.

The full report can be accessed here: https://www.hiscox.co.uk/cyberreadiness