These are among the findings in a study of 5,569 companies across eight countries, commissioned by insurer Hiscox. Encouragingly, while losses increased, the proportion of businesses targeted fell from 61% to 39%.
The Hiscox Cyber Readiness Report, now in its fourth year, surveyed a representative sample of private and public sector organisations in the US, UK, Belgium, France, Germany, Spain, the Netherlands and Ireland. Each firm was assessed on its cyber security strategy and execution, and ranked accordingly. The results showed a marked improvement in cyber security readiness with the numbers achieving 'expert' status nearly doubling - from 10% to 18%.
Among the key findings:
- Cyber losses soar: Total cyber losses among the study group rose from USD 1.2 billion to nearly USD 1.8 billion. The highest reported cyber losses were by a UK financial services firm, at USD 87.9 million. The highest loss from any one cyber event was USD 15.8 million, involving a UK professional services firm. The most heavily targeted sectors were financial services, manufacturing and technology, media and telecoms (TMT). Irish firms suffered the highest median costs, at over USD 103,000.
- Held to ransom: More than 6% of total respondents - or one in six of those attacked - paid a ransom following a malware attack. The highest losses reported by any single company targeted with ransomware - and which could include other cyber events - topped USD 50 million.
- Upping their game: The number of firms achieving 'expert' status in our cyber readiness model increased from 10% to 18%. This follows two years while progress stalled. US and Irish firms came out best with 24% ranked as experts. France was the biggest improver with 18% of firms ranked as experts, up from 6%. Overall, twice as many firms responded to a breach this year by adding new security and spending more on employee training.
- Pace of cyber spending accelerates: The average spend on cyber security rose from USD 1.47 million to USD 2.05 million, a rise of 39%. French firms spent the most with an average of USD 3.1 million. Spanish and US firms were not far behind, at USD 2.6 million and USD 2.4 million respectively. The UK, a laggard in past reports, started to catch up: average spending rose from just under USD 900,000 to USD 1.5 million.
"While the number of firms reporting a cyber breach is down this year, the cost of criminal activity in this area appears markedly higher. The number of businesses that have paid a ransom following a malware infection is chilling. There is, however, one very positive message from this year's report. There is clear evidence of a step-change in cyber preparedness, with enhanced levels of activity and spending. Take-up of standalone cyber insurance remains patchy, but this report is a reminder that firms are many times more likely to have a cyber incident than either a fire or a theft - for which most automatically insure."