Enterprises See Rise in Data Breach Costs, Shift in Security Spending Focus

A study of more than 5,500 companies within eight countries found that businesses affected by cyber incidents witnessed their losses rise from $10,000 per incident to $57,000.

While losses soared, the number of targeted businesses fell to 39% from 61% a year ago. The data is based on an analysis by Forrester Consulting and commissioned by Hiscox Insurance Group. According to Hiscox, firms were evaluated and ranked on their cybersecurity strategy and execution.

The evaluation found a minority, but significant, number of firms improved their cybersecurity readiness year over year. The study ranked enterprises by “cyber readiness” and placed them in three categories: novice, intermediate, and expert. While 64% of the 5,500 companies studied did fall into the novice category, that number is down from 74% last year. And while only 18% of companies were ranked as experts at cyber readiness, that is a big improvement from 10% last year. Those who were determined to be intermediate remained essentially flat at 17% this year and 16% last year.

The two nations with the highest percentages of experts were the United States and Ireland, with 24% ranked such. The nation of France enjoyed the biggest improvement year over year, rising from 6% of companies as experts to 24% this year.

The cyber readiness model, as defined in the report, attempts to quantify a firm’s security operational alignment with four classes of “best practices:” strategy oversight and resourcing along one axis, and technology and process on the other axis. “Businesses that score four out of five on both axes are considered experts. Those that achieve that score on one axis only are intermediates. Those that do neither count as novices,” the report said.

What does achieving an expert rating mean better security outcomes? According to the report, yes. “The better prepared firms did much better than the novices. The latter were three times more likely to suffer a breach than the experts, with a median figure of 30 per firm compared with nine for the experts,” the report concluded.

I’m not as confident as the report authors on that point. It’s also conceivable that bigger enterprises with more security expertise on hand, or deeper budgets to afford it when needed to hire, and have the ability to put the tools and processes in place to better identify and respond to breaches. While smaller firms may not even see the breaches coming. This possibility is supported by the data, with two in five large organizations ranking as experts, while the majority of firms with less than 100 employees are classified as novice.

Overall, twice as many firms responded to a breach this year by adding new security and spending more on employee training. The total costs of all security incidents among the firms studied reached $1.8 billion from $1.2 billion.

Additionally, firms that were breached responded by increasing security spending, including increasing staff awareness.

For instance, following a successful attack this year, 25% of firms increased their cybersecurity spending, while only 11% did so in the year prior. Overall, the number of firms who are increasing their cybersecurity spending by 5% or more increased from 67% two years ago to 72% this year.

According to the study, security spending rose to $2 million from nearly $1.5 million two years year ago, on average. That’s a rise of 39%. The study found French organizations spent the most, at $3.1 million, followed by Spanish and US organizations at $2.6 million and $2.4 million respectively.

Financial services, manufacturing sectors, and technology, media and telecoms, while Irish firms had the highest median costs, exceeding $103,000. When it came to ransomware, over 6% of respondents (one on six of those attacked) admitted to paying a ransom, with the highest ransom being paid exceeded $50 million. Larger enterprises were, not surprisingly, hit more than average, with 51% of firms with more than 1,000 employees reporting at least one cybersecurity incident.

Interestingly, regardless of whether a ransom was paid, the average loss was nearly twice as high for firms hit by such attacks, at $927,000 compared to $492,000.

The study also found cyber insurance is growing in popularity. The proportion of those surveyed who said they have acquired cyber insurance following an attack, from 9% to 20%. While 26% of those who have cyber insurance report having a dedicated policy and an additional 18% expect to purchase a dedicated cybersecurity policy or add it to existing policy coverage. Tellingly, 45% of those organizations rated as “experts” indicated that they have a dedicated cybersecurity policy.

“While the number of firms reporting a cyber breach is down this year, the cost of criminal activity in this area appears markedly higher,” said Gareth Wharton, Hiscox Cyber CEO, in a statement. “The number of businesses that have paid a ransom following a malware infection is chilling. There is, however, one very positive message from this year’s report. There is clear evidence of a step-change in cyber preparedness, with enhanced levels of activity and spending. Take-up of standalone cyber insurance remains patchy, but this report is a reminder that firms are many times more likely to have a cyber incident than either a fire or a theft – for which most automatically insure,” he added.

Finally, when it came to spending, it wasn’t always clear that spending more brought more security. While those organizations that spent 10% or more of their IT budget on security were less likely to endure a breach than those who spent less than 5%, those larger security spenders who were larger firms suffered higher data breach costs, on average. “Size brings more customers, higher notification costs and bigger ransoms,” the study found.

“It is also worth asking whether firms are directing their spending to the right areas,” the report asked. It seems many enterprises want to spend more on security awareness and increase security professionals on staff. “There has clearly been a shift of emphasis over three years. The proportion of respondents planning to increase spending on new cyber security technology has progressively fallen over that time from 57% in 2018 to 46% in 2020 while the number intending to invest more in employee awareness training has risen from 34% to 40%. More than a third (35%) plan to increase cyber security staffing, up from 26%two years ago,” the study found.