Cyber-Attacks Rank First as Company Worry
Cyber-attacks are the top concern among businesses of all sizes globally for the first time since the Travelers Companies’ survey began 5 years ago.
The research was conducted by Hart Research on behalf of Travelers and surveyed 1,200 business leaders across the globe. Of the 1,200 respondents, 55% said they worry some or a great deal about cyber risks, ahead of medical cost inflation (54%), employee benefit costs (53%), the ability to attract and retain talent (46%) and legal liability (44%). In prior Traveler surveys, medical cost inflation was the issue that concerned business leaders the most.
Concerns of business leaders have changed because attacks have escalated, and damage has increased. Since 2015, the percentage of small business respondents who have suffered a cyber-attack has tripled, from 4% to 12% this year. Medium-sized companies have doubled (10% in 2015 to 20% this year) and large businesses that are still targeted the most still are experiencing substantial increases (from 19% to 33%).
As attacks have increased, concerns about threats to these organizations have escalated in response. A higher percentage of businesses across almost every industry reported taking additional steps to protect against ransomware and other cyber threats. That said, a significant percentage of the respondents have not implemented even the most fundamental of security best practices. Several of the questions asked in the survey that drew attention included organizations who:
- Updated their computer passwords (74%, up from 71%).
- Purchased a cyber insurance policy (51% of survey participants, up from 39% last year).
- Created a business continuity or disaster recovery plan in the event of a cyber attack (47%, up from 38%).
- Executed a risk assessment across their IT infrastructure (49%, up from 45%) and their vendors (41%, up from 37%).
“The Travelers Risk Index shows that more businesses are taking steps to prevent a cyberattack, but it’s still alarming that nearly half don’t have the proper insurance coverage,” said Tim Francis, Enterprise Cyber Lead at Travelers.
“One cyber-attack can put a company out of business. Taking the threat seriously and implementing a NIST, CSC 20 or ISO security posture assessment that addresses possible exposures can help a company not only avoid an attack but also recover from one as quickly as possible.”
“More companies are experiencing cyber-attacks,” Francis said. “The cost of a single breach to a small business can easily reach a substantial amount of money on top of the time it takes to restore the business, so protecting a company’s assets with a cyber insurance policy is critical.”
Other key findings from the 2019 Travelers Risk Index include:
- Nearly 80% of respondents suggested that it was difficult to keep pace with the evolving cyber landscape.
- The percentage who said today’s business environment was riskier than previous years remained at 36%.
- Being breached and having a third party gain unauthorized access to financial accounts was tied as the highest-scoring concern among respondents. The third-highest concern was a ransomware attack which increased to 52% from 44% in 2018. Lastly, 43% of respondents said social engineering or phishing scams were a concern, up from 36% last year.
- While there is greater awareness of cyber risks generally, 25% of participants thought their business would not suffer an attack over the next year, and thus opted not to purchase an insurance policy. The top reason for not purchasing a cyber insurance policy, cited by 31% of respondents, was the expense.
- 75% of survey participants agreed that having the proper cyber prevention tools in place is critical to the well-being of the business, an increase from 69% in 2018. The tools were firewalls, anti-virus, threat-hunting technology, SIEM technology, and other log monitoring tools.
The Travelers results are somewhat in line with organizations that conduct similar surveys including a recent global report by insurance provider Marsh and their partner Microsoft. The report suggested that while nearly 8 of 10 of organizations now rank cyber risk as a top-five concern, compared to 62% in 2017, the majority of board members and senior executives responsible for their organization’s cyber risk management spend less than a day a year focusing on cyber risk issues.
In addition, insurance provider Chubb found that while about 70% of individuals say that their company has “excellent” or “good” cybersecurity practices in place, many companies continue to neglect to implement many basic safeguards in its survey. From 2018 to 2019, there were only small increases in the percentage of companies that hold annual employee trainings (31% and 33%), deploy filters for online content (38% and 40%) and leverage social media blocks (32% and 33%).