The Hiscox Cyber Readiness Report 2021 provided some concerning statistics and facts about the impact of cyber-crime. It is a game, and it is one that Hiscox fundamentally believes no business should leave to chance. Multiple threat vectors and variable threat actors, and, perhaps most worrying – repeated attacks on companies by cyber-crime pose a serious risk to organisations small and large alike. One-in-six of all firms attacked this year (17%) said the impact was serious enough to ‘materially threaten the solvency or viability of the company’.
According to Anna Collard, SVP of content strategy at KnowBe4 Africa, the report underscores the immense challenge that organisations face when it comes to securing the business and the people within it.
“This is the time for the organisation to turn and face the threat head on,” she says. “It is too risky to think that these attacks happen to someone else, or that your systems are too good to be breached. There is always a vulnerability, or a bad decision made by an employee.”
Perhaps the most extraordinary point to come out of the Hiscox report was the fact that more than a quarter of those organisations hit by cyber-attacks were hit more than five times in a year. Forty-seven percent of enterprise scale firms were targeted more than six times, and 33% fought off attackers more than 25 times. That translates to 33% of companies being attacked on average twice a month. It is not just an attack, pay the ransom and go. It is attack, attack again and keep on attacking.
“The more successful a breach, the more the organisation is targeted,” says Collard. “The victims of these attacks are paying the ransom and then they are being hit again. The problem is that many organisations are just paying up to protect sensitive information and this is encouraging the attackers to keep on coming back for more.” Just over half of those targeted (58%) paid a ransom – either to recover data or to prevent publication of sensitive information.
When asked about the first point of entry of the attackers, 37% of respondents mentioned their corporate-owned servers, 31% their cloud-based servers, followed by company websites (29%) and employee errors such as phishing or spoofing (28%).
She believes that organisations can fight back and put themselves in the driver’s seat. This starts with investing in people, process and technologies and applying best practices across the organisation. It pays off to have people dedicated to cybersecurity, to put investments into people and technology that allow for the organisation to achieve security maturity.
“If you achieve a certain level of maturity in your people training, processes and technology, then you can mitigate the impact of these incidents far more effectively,” says Collard. “If you do not, the impact will be far more severe. The Hiscox research shows that organisations with more mature security fare best when attacks happen. They had fewer ransomware attacks and when hit, recovered more quickly. You need to ensure that your people know and understand your security policies, and really do recognise the value of these policies in protecting both the organisation’s data and their own.”
The focus for the future should not be on the security threats and concerns that the organisation cannot control, but on the internal systems and processes, it can control. Ensure that vulnerabilities are minimised by ensuring that patch management and updates are properly managed. Hire the right people and make sure they have the right tools at their disposal. And train everyone, all the time, so that security is embedded into the very fabric of the company and its culture.
“The future is complicated; security even more so,” she says. “But it pays off to invest into security best practices and processes that put you back in control.”