Original post By Byron V. Acohido

Have we truly reached the point where a multiple-year run of nightmarish cyber attacks has become mere white noise to the business community?

I cannot think of any other way to explain the findings of a new report starkly showing that fully 73% of companies in five Western nations miserably failed a cybersecurity readiness test.

Related article: 3-day cloud outage wreaks $15 bil damages

New York City-based specialist insurance company Hiscox commissioned a survey of more than 4,100 organisations and found that fully seven of 10 reported being ill-equipped to face a cyber attack, despite roughly the same number acknowledging that they considered cyber attacks to be a top business risk.

This pervasive apathy about efficiently defending business networks persists even though ransomware continues to run rampant, automated data theft and identity fraud continue to mushroom, power grid infiltrations creep ever more comprehensive and the hacking of Internet of Things steadily scales upward.

Indeed, some 45% of the executives and IT professionals who took the poll said their organisations —  based in the US, UK, Germany,  Spain and the Netherlands —  experienced at least one cyber attack in the past year, while two-thirds suffered two or more attacks.

Very few experts

The Hiscox study further found the costs of cybercrime ranged as high as $25 million for one U.S.  incident, and $20 million each for individual attacks in Germany and the UK, respectively. The average cost for all attacks reported by the poll takers:  $229,000. That included average damage of $1.05 million reported by Amercian companies with 1,000-plus employees. For companies with fewer than 100 employees, average costs ranged from $24,000 in Spain to $63,000 in Germany.

Upon examining each of the 4,100 companies’ security strategy, as well as its execution of that strategy, Hiscox found that just  11 percent scored highly enough in both areas to qualify as cybersecurity “experts.” Meanwhile, one in six firms – only 16 % —  achieved expert status in either strategy or execution, but not both, the study revealed.

This shows a widening gulf between those who fully grasp the implications of operating a business in the current environment — and those who are too distracted, or perhaps overwhelmed, to bother to put up a valid defence. The last Watchdog asked

Dan Burke, Vice President and Cyber Product Head for Hiscox in the US, about this. Here’s what Burke had to offer:

“Some firms may feel that they lack the expertise or capital to get their company cyber-ready, or frankly, that “it” [a cyber attack] could never happen to them. All businesses should think of it not as if it might happen to them, but when it will happen. Cybersecurity is not just an IT issue, but rather a risk for the whole organization . . .

“Simply spending on technology is not enough without the appropriate people, processes and technology in place.  The businesses that get it, accept the fact that the threat is real and they’re taking the necessary steps to implement a defence and response structure.”

Sounds about right. What these metrics lay bare is the viral nature of the day-to-day business environment, now the commerce has become cloud-centric and mobile device-centric.

The average citizens get a glimpse of this badness every few weeks – every time yet another high-profile organisation pops in and out of the news cycle for losing personal data for millions of individuals. Equifax, Yahoo, Uber et al. remind us how even large enterprises – companies that spend millions on security – routinely fail at defending their networks and protecting their customers’ private information.

Complex challenge

There’s no question cybersecurity is a complex, continually morphing problem. Just as clearly, the collective defences put up by the business and government sectors —  which is substantial, as illustrated by the $93 billion global market for cybersecurity products and services — isn’t cutting the mustard.

There are innovative technical solutions and best practices standards aplenty. But somehow the vaunted combination of technology, processes and people – which makes eminent sense on paper, as far as being the recipe for repelling hackers – has simply failed to take hold.

Upon examining each of the 4,100 companies’ security strategy, as well as its execution of that strategy, Hiscox found that just  11 percent scored highly enough in both areas to qualify as cybersecurity “experts.” Meanwhile, one in six firms – only 16 % —  achieved expert status in either strategy or execution, but not both, the study revealed.

This shows a widening gulf between those who fully grasp the implications of operating a business in the current environment — and those who are too distracted, or perhaps overwhelmed, to bother to put up an effective defence.

“Despite the criticality of security, it is becoming a world of haves and have-nots,” observes Brian NeSmith, CEO of Arctic Wolf, which supplies security services to smaller businesses. “It’s a problem that cannot be solved by just buying products because it requires a level of in-depth expertise and dedicated personnel.”

Smaller firms, in particular organisations with fewer than 250 employees tend to devote a smaller proportion of their IT budgets to cybersecurity –9.8 percent on average versus 12.2 percent for larger organisations.

Hiscox’s Burke observes that cyber attacks tend to be more debilitating to a small business that has fewer resources. “While their IT budgets are likely more modest, smaller firms need to make sure that an appropriate proportion of this budget is devoted to cybersecurity,” Burke says. “There are ways to prepare your business that don’t require a significant financial spend, like having the right strategy in place and making sure all employees are aware of cyber risks.”

Seeking solutions

Outsourcing, he says, can be an alternate approach for firms that need an extra layer of expertise, but they should not lose sight of the fact that the ultimate responsibility lies in house.

NeSmith suggests SMBs invest in some level of threat detection. “Security products are great for helping to prevent attacks, but most breaches are the result of threats that were missed by preventative security products.,” he offers. “Threat detection requires a combination of products, tools and security experts who are constantly monitoring your IT environment and making sure that suspicious activity is investigated and resolved.”

Arctic Wolf is one of several vendors that have cropped up and are thriving by providing managed security services to small and mid-sized companies. Says NeSmith:  “Do the math. You don’t have to build everything in-house.  Security operations centre service providers offer many of the things you need for advanced threat detection and response, replacing the need to build this capability in-house.  Depending on your budget and needs, going with a service may be the fastest and most cost-effective way to execute a smarter cybersecurity strategy.

The big takeaway from the Hiscox report is all too familiar. Securing business networks in today’s environment is difficult, and must be continually addressed. The report is yet another reminder that we remain entrenched in an escalating war of attrition. Hackers with malicious intent continue to operate with impunity. Each consumer and each company needs to take privacy and security much more seriously. That means reducing one’s digital footprint, clicking judiciously and remaining ever suspicious online.

That surely isn’t the long-run answer. Much bigger change is needed. Security needs to be baked into the systems and services we’ve come to rely on. Until that happens,  each individual, each vertical industry, and the public sector and governments as a whole, probably will have to accept drastic behavior changes.