Cyber Incidents: What Can You Learn from Being Burned?

The threat of a cyber incident is an ever-present reality for organisations globally. 76% of those surveyed for our report, Investing in Cyber Resilience: Spend, Strategy and the Search for Value, agreed with the statement that ‘All organisations are going to have security incidents; it’s just a cost of doing business today.’

This belief is borne out of experience: 80% of organisations surveyed have experienced at least one significant cyber incident, with 60% of such incidents occurring within the last three years.

Figure showing percentage of respondents experiencing a serious cyber incident in the last three years. With 60% one serious incident, 20% at least one more than three years ago, 19% never experienced an incident, 1% multiple incidents

And the cost of an incident? Organisations on average have suffered USD 1.8 million in direct financial losses, and USD 2.3 million in indirect losses from their single largest cyber incidents to date. The source of these costs spans multiple domains. Overall, operational downtime (38%), response-and-recovery costs (37%) as well as increased insurance premiums (35%) were the top three most commonly cited impacts of a cyber-attack.

The emergence of insurance-related costs and constraints as a top impact reflects an ever-hardening cyber insurance market. Insurers globally have introduced additional rigour to their qualification processes, increasingly requiring organisations to demonstrate higher degrees of cyber resilience as a prerequisite for being covered. And the ballooning costs of a cyber incident are reflected in higher-trending premiums.

Strategy implementation is key

Having a fully implemented cyber strategy can play a significant part in reducing the impact of an incident. Returning to our top three impact categories, respondents with partially implemented cyber strategies were more likely to cite operational downtime, response and-recovery costs and increased insurance premiums as impacts of an attack versus those companies with fully implemented plans.

Figure showing impact of cyber incidents on organisations by cyber strategy implementation, where those organisations with fully implemented cyber strategies have lower percentage impacts across all three areas – operational downtime, increased insurance premiums and recovery/response costs.

Finally, despite so many organisations experiencing an incident within the last three years, 39% of respondents still feel their cyber strategy could be improved by greater awareness/understanding of what to do in the event of an incident.

"A loss of confidence following an attack can be crippling and leave teams feeling overwhelmed by the scale and complexity of the problem"

In our experience, we have seen how organisations that have fallen victim to a cyber-attack lose confidence in the controls they have implemented. There are many different techniques attackers used to gain unauthorised access to a network, and each use requires a broad range of mitigating controls. It is therefore quite common for organisations that have experienced the devastating impact of an attack to continue to worry about whether they are doing enough.

The fear of a repeat incident can often spur companies into action and see them refocus both energy and budgets towards enhancing their resilience. In other instances, a loss of confidence following an attack can be crippling and leave teams feeling overwhelmed by the scale and complexity of the problem. In such cases, doing regular incident simulation exercises and conducting readiness assessments can help organisations feel more prepared for the next incident, and tangibly improve their response if and when the time comes.

DOWNLOAD THE FULL REPORT