In the second Hiscox Cyber Readiness Report, conducted by Forrester Consulting, it was found that nearly three quarters of the 4,103 organisations surveyed, lack strategy when it comes to cyber security. 73% of organisations are deemed cyber novices, with the three categories being ‘cyber novice’, ‘cyber intermediate’ and ‘cyber expert’, and only 11% of organisations that participated in the study were deemed cyber experts.
With GDPR (General Data Protection Regulation) around the corner, it would be expected that cyber security would be a top priority for all businesses. However, many businesses still aren’t doing enough to get compliant with the upcoming regulation. It was found that small businesses only have a small percentage (9.8%) of their IT budget that is dedicated to cyber security. It is clear that small businesses and organisations are not able to compete with larger businesses when it comes to cyber security, as only 7% of SME’s ranked as cyber experts.
Businesses are placed into three categories which determine the quality of a business’s cyber security strategy: cyber novice, cyber intimidate or cyber expert. The key focus points determining which category a business is placed in include their oversight, resourcing, processes and technology. The report revealed that many businesses will not hesitate to spend on technology but fail to focus on the ongoing oversight and training that is constantly required within the IT and technology sector.
It was also found that the US is the best prepared from the countries that were involved in the report; including the UK, US, Germany, Spain and The Netherlands. The UK came close second with 25% of the bigger businesses in the UK deemed as cyber experts.
The key defining factors that differentiate the novice businesses from the expert businesses are: having a clear defined cyber security strategy, the changes that they are prepared to make after a breach, incorporating training and awareness throughout the workforce, and conducting phishing experiments to determine how prepared the staff are.
An advisor of Hiscox, Robert Hannigan explained that: “The survey highlights a widening gulf between those who ‘get’ cyber security, take it seriously, and spend appropriately, and those who still regard the issue as someone else’s problem. Cyber security is not an IT issue but rather a risk for the whole organisation; tackling it is more about people, behaviour and culture than clever technology.”
Although cyber security needs to take more of a priority for businesses of all sizes, the future looks hopeful. Almost three out of five respondents plan to increase their cyber security budget, which should enable them to have better protection. The businesses that have been deemed as experts plan to increase their cyber security budget the most. For example, 55% of experts want to invest more in awareness training compared to only 29% of novices.
With GDPR coming into effect this May, businesses of all sizes need to up their game when it comes to cyber security and data protection. Any businesses within the EU should be motivated to improve their cyber security as the fines that come from lack of compliance can be heavily damaging to the livelihood of their business.