Percentage of Organizations Hit by Cyber Attacks Continues To Grow

Cyber attacks increased for the fourth consecutive year in 2022, with 53 percent of firms surveyed suffering a cyber attack, according to a new report from Hiscox.

In its Hiscox Cyber Readiness Report 2023, Hiscox says that last year's report saw 48 percent of firms revealing that they'd experienced a cyber attack.

The median cost of those attacks dropped slightly in this year's report, from almost $17,000 to just over $16,000, Hiscox says. But expensive attacks are still possible, the report says, with 1 in 8 of those surveyed reporting suffering costs of $250,000 or more.

Hiscox also found smaller firms are becoming a more frequent target of cyber crime. Over the past 3 years, the proportion of firms with fewer than 10 employees that were attacked increased by more than half to 36 percent, the report says.

"Being small does not mean a firm can count on being ignored by the cyber criminals," Eddie Lamb, director of cyber education and advisory, says in an introduction to the report. "More encouragingly, however, the report also shows that the smallest firms have been ramping-up spending at a markedly faster pace than others, which may help in countering the increasing attacks."

Hiscox also found that the largest companies—those with more than 1,000 employees, are finding cyber attacks becoming a more regular occurrence. Some 70 percent of companies in that group reported at least one cyber attack, up from 62 percent in the 2022 Hiscox report.

Hiscox attributes the slight year-on-year decrease in the cost of cyber attacks to businesses getting better at spotting and disrupting attacks. The report cites a small increase in the number of companies that successfully defended against a cyber attack—8 percent versus 7 percent a year earlier.

While the median cost of attacks stood at $17,000 in this year's report, Hiscox notes that in its 2022 report only 4 companies reported cyber-attack costs of more than $5 million. This year's report found 8 companies in that category, with 3 that suffered attacks that cost more than $10 million.

Hiscox found that cyber-attack costs vary widely by industry. Four sectors—manufacturing, transport and distribution, energy (among the top three targets in each of the last three reports), and government and nonprofit—experienced median cyber-attack costs of $20,000 or more. Transport and distribution saw median cyber-attack costs increase 28 percent year on year, while government and nonprofit experienced an 83 percent increase.

"The good news is that most industries managed to contain or reduce the median cost of the single largest attack suffered," the Hiscox report says.

Business email compromise was once again the most common entry point for hackers, Hiscox says, mentioned by 35 percent of all targeted companies and 40 percent of government and nonprofit respondents.

The corporate server, whether owned in-house (cited by 31 percent of respondents) or in the cloud (cited by 29 percent) were the second and third most common points of attack, Hiscox found. "In both cases those percentages were way down on the previous year, suggesting preventive work is having an effect," the report says.

The Hiscox report says the energy sector appears particularly prone to breaches of corporate-owned servers, while the construction industry leads the list of industries experiencing cloud server breaches along with travel and leisure and technology.

Fraud was the top cyber-crime threat in this year's Hiscox report, with 34 percent of companies that were attacked experiencing financial losses due to payment diversion fraud, up from 28 percent 2 years ago. Meanwhile, loss of data and virus outbreaks dropped for the second consecutive year, the report says.

Hiscox also reports that the knock-on effects of cyber attacks appear to be growing. Some 31 percent of firms that were attacked reported the costs of notifying customers of an attack have increased, the second consecutive year that cost has grown. That was also true for organizations reporting a breach for third parties, Hiscox says.

"It is worth noting that the disaster scenario is not as remote as one might believe," the Hiscox report says. "One-in-five firms (21 percent) that were attacked said the impact was enough to threaten the viability of the business. That was also the case for a fifth of the very smallest firms."

Ransomware remains a threat, the Hiscox report says. Among firms that were attacked, 20 percent received a ransomware demand, up slightly from 19 percent a year earlier. The proportion paying the ransom fell from 66 percent to 63 percent.

Hiscox found the main reasons given for paying ransom were protecting confidential information (43 percent) or protecting customer data (42 percent). "The latter was the stand out reason among large companies for paying a ransom," the report says.

Phishing emails—mentioned by 63 percent of ransomware victims—were the most common avenue for ransomware attacks.

"For three years, phishing has been far and away the main source for a ransomware attack," the Hiscox report says. "The second most common method of entry remains credential theft. Defending against both begins with employee training. Ransomware is never simple, but training employees on complex passwords, protecting their credential information using multi-factor authentication (MFA), and phishing training are relatively easy and inexpensive ways of mitigating the risk for companies of any size."

The Hiscox Cyber Readiness Report 2023 was based on surveys of 5,005 professionals responsible for their company's cyber-security strategy. The total includes more than 900 each from the United States, United Kingdom, France, and Germany; more than 400 from Spain; and more than 200 from Belgium, The Netherlands, and Ireland. Respondents completed the online survey between January 9 and February 2.