Cyberattacks are now so common that the majority of businesses responding to a new survey not only viewed them as their top concern but a majority saw a future attack on their organization as inevitable.
An annual survey of businesses by insurance giant Travelers Cos., which underwrites cybersecurity coverage, ranked cyberattacks as the top concern in an overall environment that was becoming more risky for doing business.
“Cyberattacks can shut down a company for a long period of time or even put it out of business, and it’s imperative that companies have a plan in place to mitigate any associated operational or financial disruptions,” Tim Francis, enterprise cyber lead at Travelers, said, in a release.
Arthur House, former chief cybersecurity risk officer for Connecticut, said Monday the survey shows what many businesses are still reluctant to talk about publicly.
“There is still somewhat of a stigma to admitting that you have been hacked in a cyberattack, said House, now an adjunct professor at the University of Connecticut teaching about cybersecurity. “As though you didn’t protect yourself adequately or there was something wrong with your IT systems.”
But House said the survey points to the reality that no company is safe from a cyberattack.
“It’s like an illness, everybody gets it,” House said. “There is not something necessarily wrong with you.”
The key, House said, is taking preventative measures as much as possible.
Those responding to the Travelers survey also saw bigger concerns compared with a year ago about economic uncertainty, rising energy costs and the ability to attract and retain employees.
The survey of 1,200 small, medium and large companies across 15-plus industries sampled opinion in mid to late July and was conducted by Hart Research for Travelers.
Travelers began its survey in 2014, and it is used as the basis for the Travelers Risk Index. For the third time in the past four years, cybersecurity ranked as the top overall concern among businesses.
But unlike a year ago, when cyberattacks ranked 6 percentage points above the next biggest concern, other issues ranked closer this year to cybersecurity.
In 2022, 59% of those responding to the survey said they “worried some or a great deal about cyberthreats.” But that was followed closely with 57% concerned about broad economic uncertainty; 56% worried about fluctuations in oil and energy costs; 56% concerned about the ability to attract and retain worker talent; and 56% worried about inflation in medical costs.
Among the biggest jumps compared with a year ago was the cost of energy, up 16 percentage points, from 40% a year ago. Supply chain disruptions increased 11 percentage points to 54%.
A report earlier this month by insurer Hiscox found that cyber criminals, who have long targeted large companies are moving down to small and mid-size employers.
In its report, Hiscox found that companies with annual revenues of $100,000 to $500,000 can now expect as many cyberattacks as those earning $1 million to $9 million. Yet, spending on cybersecurity has fallen with smaller firms.
Gareth Wharton, Hiscox’s cyber chief executive, said the pandemic may have played a part in the trend.
“The move to remote working has prompted many smaller businesses to adopt cloud solutions in preference to building out their own remote services,” Wharton wrote in an introduction to the report. “That, in turn, has encouraged more cyber criminals to exploit vulnerabilities in cloud applications and target cloud service providers, too.”
Ransomware attacks increased, with 19% of those responding to the Hiscox survey reporting one in the past year, up from 16% a year earlier. Two-thirds of the firms paid their attackers, Hiscox found.
The Travelers survey found that 71% of the companies responding to the survey had been the target of a data breach of other “cyber event” more than once.
“Multiple cyber attacks may not be random — if you are vulnerable before and don’t take appropriate action as a result, you continue to be a risk,” Travelers’ Francis said.