Annual losses from cyberattacks averaged $4.7 million in the last fiscal year — with more than one in 10 firms losing over $10 million —according to a new report, which also adds that countries like India are at a heightened cyber security risk as more companies are embracing digital innovation such as Internet of Things and Artificial Intelligence – making data more accessible and its movement easier.
The report titled: The Cyber security Imperative, has been produced by independent researcher ESI ThoughtLab in conjunction with Willis Towers Watson and other organizations specialised in cybersecurity and risk management.
The study covered 467 firms across multiple industries in 17 countries revealing that companies worldwide expect to boost their cybersecurity investments by 34% in the next fiscal year, after raising them by 17% the previous year. About 12% of companies surveyed plan to bolster their cybersecurity investments by over 50%. Additionally, since last year, the percentage of companies seeing a significant impact from cybercriminal activities — such as installation of ransomware — has soared, from 57% to 71%.
Peter Foster, chairman, Willis Towers Watson Global FINEX Cyber and Cyber Risk Solutions, said, “It is clear from the findings that companies are experiencing escalating impacts this year from key adversaries, including cybercriminals, malicious insiders and state-sponsored hackers, often from jurisdictions beyond the reach of local law. Establishing a continuous assessment through an integrated risk approach to cyber is critical for mitigating this ever-growing risk.”
The study also highlighted that most companies across industries and regions are witnessing a greater volume of cyber attacks and higher losses per incident. For instance, companies in China, Japan and India are seeing an estimated average loss of close to 10% of their revenue.
“Countries like India are at a heightened cyber security risk as companies embrace digital innovation such as Internet of Things and Artificial Intelligence – making data more accessible and its movement easier. Yet, spending on cybersecurity amongst organisations in India is not appropriate to the rising threats and vulnerabilities. It is critical for companies to focus on defences against human error, identification of cyber risks, installing rigorous enterprise training programs and applying an integrated approach for risk management,” explained Rohit Jain, Head of India, Willis Towers Watson.
The research shows that to combat evolving risks, companies need to take a proactive, multi-layered defense. Firms are responding by allocating the biggest share of their budgets to technology, while seeking the right balance between investments in people and process. They are also focusing more on risk identification to address emerging vulnerabilities and are investing more in resilience to ensure they can respond quickly to successful attacks.
The study makes some specific recommendations for CISOs:
- Make sure you are investing enough in cybersecurity. Some industries, such as media and consumer markets, are allocating less and may be more exposed to cyber risks.
- Think of cybersecurity like any other existential threat to your business.The risks are not just about privacy, liability and stealing data; huge operational risks can also occur if business is interrupted, with reputational impacts that can hurt market positions.
- Pay attention to risks from partners and your supply chain.As firms draw on ecosystems of third parties to drive digital transformation, they increase their vulnerabilities to cyber risks.
- Be aware that legal and regulatory risks are also rising substantially.Companies that do not comply with new standards face hefty penalties and legal consequences.
- Measure your full losses, costs and returns.When hit by a successful cyberattack, you need to understand all your costs — direct and indirect, tangible and intangible.
“There is also an urgent need for the entire cyber security ecosystem including corporates, insurers, underwriters, regulator and industry bodies to improve their understanding about cyber risk”, he further added.