Be a part of something bigger Helping people. Innovating an industry. At Crawford, employees are empowered to grow, emboldened to act and inspired to innovate. Our industry-leading team pioneers new solutions for the industries and customers we serve. We’re looking for the next generation of leaders to take this journey with us. You’ll be empowered to help people when they need it most, to work on things that you’re passionate about and your ideas will matter. To create the future you want, look at the careers available at Crawford: www.crawco.co.uk/about/careers or contact recruitment@crawco.co.uk www.crawco.co.uk Crawford & Company is an equal opportunity employer.
Page 07 Impacts of a cyber attack (%) Nothing has changed in past 12 months Lost business partners 4 10 12 13 16 16 Fine that had significant impact on business Greater difficulty attracting new customers 11 20 16 18 22 20 Solvency or viability of business was threatened Lost customers 17 21 21 19 22 21 Reduction in business performance indicators Negative impact on brand or reputation 16 21 24 23 27 25 Caused a breach for third-party partners Costs associated with notifing customers 20 22 26 23 30 31 Vulnerabilities and impacts The favourite entry point for hackers was once again Which countries were most vulnerable? In terms of business focus email compromise, on building mentioned by resilience 35% of number of firms attacked, Ireland stands out this year So, targeted given companies the (and relentlessness 40% of government and of cyber with more risk, than seven-in-ten how can firms (71%) businesses targeted, a third non-profit respondents). The corporate server, whether more than the average for the study group as a whole. continue owned in-house (mentioned to build by 31%) their or in resilience? the cloud Irish firms were also targeted almost three times as often (mentioned by 29%) came second and third. In both cases those percentages were way down on the previous year, suggesting preventive work is having an effect. 20% on average across the study group). More than It’s evident that those businesses half who of respondents perform in Ireland best said the first when point of entry The energy sector appears particularly prone to was via the corporate owned server (57%) or a cloud defending breaches of a corporate against owned server. attacks The construction have a number of things in common server (50%). sector tops the list of industries hit with a cloud server - breach not alongside least travel a dedicated and leisure, as well as IT technology. security In financial function, terms, the which worst hit countries is a solution were the The most common outcome of a cyber attack was UK (with median costs per firm of $24,200), The not open to most small and mid-sized organisations. financial loss due to payment diversion fraud (mentioned by 34% of attacked firms, up from 28% two years ago). Loss of data and virus outbreaks dropped for the There second year are running. however three highly effective controls, open to all, There was a sharp jump in the number of German firms including Some of the knock-on the effects use of of cyber endpoint attacks were detection reporting attacks response – up from 46% (EDR), to 58% – with the felt more widely this year than before. Nearly a third median number of attacks per firm rising from six to ten. multi-factor (31%) of firms that were authentication attacked reported increased (MFA), By contrast, and two a countries more – Belgium prosaic and The (but Netherlands no costs for notifying customers of an attack. The figure – saw a fall in the median average number of attacks less is up for effective) the second year running. programme The same is true of employee experienced. It awareness. may be relevant that The Netherlands was of those reporting a breach for third parties, up over two years from 20% to 26%. EDR It is worth works noting that effectively the disaster scenario to is not monitor as end-user devices, looking for remote as one might believe. One-in-five firms (21%) cyber that were attacked threats said the like impact malware was enough to and ransomware. Meanwhile, MFA threaten the viability of the business. That was also requires the case for a fifth users of the very to smallest supply firms. two or more pieces of identification, such as a password and PIN before they are able to gain privileged access to IT systems or personally identifiable information. Effective as these tactics are, both approaches continue to show some signs of stress, having been overcome in some instances by committed hackers. Nonetheless, they are a good start towards building a robust security system; one which can also include measures like controlling communications between networked devices as well as the all-important back-up of data, which can secure a remote source and eliminate the potential for unrecoverable data loss. Employee awareness of the risk is also critical. After all, most attacks can only be successful if they are enabled by someone clicking an attachment on an email and allowing an attacker entry into a company’s business systems. Improving awareness can be a relatively low-cost measure in the fight against cybercrime, but it’s one that is often overlooked by businesses. Evidently, investment in cybersecurity through measures like these pays dividends. Hiscox’s report reveals that nearly half (45%) of the bigger firms surveyed say their exposure to cyber-attack has reduced in line with increased spending on cybersecurity – a rise from just over a third (36%) in 2022. Smaller businesses of up to 249 employees have also upped their median spending. This link between investment in cyber security and a reduction in the risk should be a clear consideration as businesses consider their budgets for the next Page 13 Building resilience Hiscox Cyber Readiness Report financial year. Cyber security median spend ($) Number of employees Reality of cyber risk Hiscox Cyber Readiness Report Country by country: Ireland stands out 2021 2022 2023 as the average median and were significantly more likely to be targeted with ransomware (30% compared with Netherlands ($21,400) and the USA ($20,000). For US and UK firms, business email compromise ranked top, mentioned by 38% and 37% respectively. the only country in our study to have upped its average cyber readiness score in our maturity model this year. The role of cyber insurance Part of that investment should include the consideration of cyber insurance. Many of those businesses with increased cyber risk maturity (42%) had standalone cyber insurance cover, while a further 36% had some element of cyber cover in another insurance policy. In contrast, smaller firms are behind their larger counterparts in taking out cover. <strong>Insurance</strong> should not be perceived as the preserve of bigger companies, particularly now that cyber has become such a ubiquitous threat to businesses of every size. The cost of a cyber insurance premium that can deliver benefits - such as access to IT forensics, legal and crisis management support - is especially good value, given how this type of care can assist with threat mitigation and quickly return a business to the position it was in before an attack. ‘Improving awareness can be a relatively low-cost measure in the fight against cybercrime, but it’s one that is often overlooked by businesses’ Sentiment improves, but no room for complacency Most importantly, it is crucial for all businesses to build their awareness of the latest threats and trends, developing their tactics, techniques and procedures to combat the cyber threat and build organisational resilience. An improvement in business sentiment towards cyber risk, as indicated by the Hiscox Cyber Readiness Report, implies that as the threat becomes more mainstream, organisations are becoming more comfortable and confident in dealing with the likelihood of a cyber-attack - approaching this outcome in the same way as they would some of their other business risks. However, this sentiment also reflects a rising spend on cybersecurity, alongside better implementation of security measures and increased buy-in from senior management figures. Actions like these are to be welcomed, especially given the fact that for every business, the likelihood of cyber-attack is a case of when, not if. Eddie Lamb, Group Chief Information Security Officer, Hiscox INSIGHT The link with cyber budgets Not surprisingly, money is also seen as important. Bigger cyber risk budgets are prominent reasons for feeling more cheerful about the cyber threat. Some 45% of bigger firms that say their exposure to cyber attack has gone down cite bigger budgets and better risk reduction solutions as a reason why. That is up from 36% the previous year. It begs the obvious question: is there a link between the size of budgets and reduced cyber risk? There are tentative reasons for thinking so this year. As mentioned earlier, smaller firms have managed to reduce the median cost of cyber attacks despite their greater intensity. At the same time, smaller companies in the 1-9, 10-49 and 50 to 249 employee segments have materially upped their median spending – by 77%, 36% and 145% respectively. Over two years, firms with less than ten employees actually quadrupled their median cyber security spending. By contrast, at the top end – firms with 250 or more employees – median spending has been trimmed this year. Here the financial impact of attacks has continued to rise. Looking at the country data, Belgian firms spent less on cyber security than any other group – $69,000 as a median average, down from $144,000 the previous year. Median losses from cyber attacks nearly doubled. 62% of respondents reported costs of $10,000 or more – nearly twice the average for the study group. By contrast, German firms were the biggest spenders, at a median of $212,000, and saw a reduction in losses from $21,000 to $16,000. Admittedly, German firms have topped the cyber security spending averages for the past three years. But they are the only group that has seen a material reduction in attack costs over that period. One thing is certain: the experts in our survey tend to spend a larger proportion of their IT budgets 1-9 10–49 50–249 250–999 1,000-plus 2023 8,100 47,900 147,700 922,000 4,900,000 2022 4,600 35,300 60,200 938,800 5,500,000 2021 2,000 20,000 59,300 355,800 2,500,000 Money is only part of the resource equation The number of people being deployed to counter the cyber threat is also relevant. Belgian, Irish and US companies lead in this area with an average 97, 95 and 84 people in the cyber team respectively. They are way ahead of the rest. Yet behind those averages lies an interesting statistic: 15% of US and UK firms are without a managerial role dedicated to cyber security. That compares with just 8% of German firms, for instance. The USA and the UK happen to be two of the three worst hit countries in this year’s survey. Industry leaders in accident management solutions and repair services. The existence of a dedicated cyber security head is one of the key differentiators between the experts and the rest. Only 4% of the firms qualifying as experts this year lacked a role dedicated to cyber. That contrasts with more than a quarter (27%) of the novices. Many of them are smaller companies for whom this is clearly a resource issue. More than a third (34%) of firms with fewer than ten employees said they had no defined role for cyber security. This dropped to 9% for firms in the ten to 49 employee bracket. However, and perhaps more worryingly, smaller firms also lag in less money sensitive areas such as putting in additional security or employee training after an attack. sandgresponse.co.uk 1 https://www.hiscoxgroup.com/cyber-readiness 2 https://www.gov.uk/government/statistics/business-population-estimates-2023/businesspopulation-estimates-for-the-uk-and-regions-2023-statistical-release 01625 417758 MODERN INSURANCE | 11