German firms were hardest hit by cyber attacks and ransomware is now commonplace, with one in six firms targeted

The overall proportion of businesses targeted by cyber criminals in the past year has increased to 43 percent up from 38 percent, in part due to the double whammy impact of the Covid pandemic, according to the Hiscox Cyber Readiness Report 2021.

Over a quarter of those targeted (28%) experienced five attacks or more. Those attacks are pushing many firms to the brink, with one in six businesses attacked (17%) saying the financial impact materially threatened the company’s future.

The European study found that German firms were hardest hit with German businesses accounting for more than a third of total losses across the entire study group at $48m. They also topped the table for the median cost of all attacks ($23,700) and the largest single attack ($5.1m).

The study also revealed a gulf in perception on Covid-19 dangers. Less than half (47%) of firms said they had become more vulnerable to cyber attack since the onset of the pandemic, though two-thirds of large and enterprise firms (67% and 68% respectively) said they had reinforced their cyber defences to deal with home-working. 

Ransomware drives severity of loss

Ransomware is now commonplace: Around one in every six firms attacked (16%) was targeted with ransomware and more than half (58%) paid up.

In the US, the proportion paying a ransom was 71%. The costs of recovery from a ransomware attack were typically almost as high as any ransom paid (making up an average 45% of overall cost). Phishing emails were the main way in for the extortionists, with small companies particularly likely to succumb.

Commenting on the report’s findings, Steve Arlin, VP Sales, UK, Americas & APAC, ProLion, said: “The most effective route to combat ransomware lies in what companies are not doing, that is failing to take the threat of ransomware seriously enough in the first place.

”Organisations seem content to carry on with the mandated once-a-year cybersecurity training courses which focus primarily on phishing emails and click-bait. Whilst these are still worthwhile, additional measures are needed due to the impact of Covid-19 which has led to many more people working from home.”

”One undeniable reason why you should care more than ever about Ransomware is the removal of barriers to entry,” he continued. “With the introduction of Ransomware-as-a-Service (RaaS), many more criminals can now operate, and now it’s not only large organisations that fall victim, but also SMEs, local government and councils, and even sports teams, resulting in massive business disruption, reduced revenue, and disenfranchised customers.”

“The call to action is simple – be proactive. We have seen with the Covid-19 response that most people would not wait till they are infected with a virus before doing something about it. Likewise, with ransomware, do not wait till it is too late! In the famous underlining principle of medicine – prevention is better than cure,” concluded Arlin.

Firms lack true cyber resilience

The report includes a cyber readiness model that gauges firms’ strengths in six key cyber security areas across people, process and technology. It is designed to be interactive, allowing businesses to check and compare their cyber maturity with their peers, draw on best practice in each area, and develop cyber resilience.

Scoring survey respondents against the readiness model highlighted the number of firms lacking true cyber resilience. One in five (20%) qualified as an ‘expert’, more than a quarter (27%) were classed as novices.

Encouragingly, the report shows firms are responding to the cyber challenge: mean spending per business on cyber security has more than doubled in the last two years.

Gareth Wharton, Hiscox Cyber CEO, commented: “One of the big takeaways of this report is the worrying range of financial impacts that cyber attacks can have. The risk of inaction is that the next attack could be enough to sink the business. Cyber is a complex problem but that does not mean it is unmanageable. With good risk management and appropriate cyber insurance, firms can contain the impact of an attack and limit the damage.”