Seven out of ten organisations fail cyber security readiness test

Nearly half (45%) of firms were hit last year at an average cost of US$229,000

London, UK (6 February 2018) - A study of more than 4,000 organisations across five countries, commissioned by specialist insurer Hiscox, reveals major shortcomings in cyber security readiness at nearly three-quarters (73%) of firms.

The Hiscox Cyber Readiness Report 2018 surveyed a representative sample of private and public sector organisations in the UK, US, Germany, Spain and the Netherlands. It assessed each organisation according to their cyber security strategy and the quality of its execution – and ranked them accordingly. Only 11% scored highly enough in both areas to qualify as cyber security ‘experts’. One in six firms (16%) achieved expert status in either strategy or execution, but not both.

Key findings:

  • Larger organisations lead the way: Larger organisations in the study (those with 250-plus employees) are better prepared. One in five (21%) rank as cyber security experts and a further 17% pass the expert test in either strategy or execution. Just 7% of smaller organisations (250 or fewer employees) make the grade as experts.
  • You get what you pay for: The average organisation in the report spends $11.2m a year on IT and devotes 10.5% of it to cyber security. However, the organisations that rank as cyber experts spend twice as much on IT as those that failed the test ($19.8m on average versus $9.9m) and devote a higher proportion to cyber security (12.6% versus 9.9%). Smaller firms lack resources, directing on average 9.8% of their IT budget to cyber security compared with 12.2% for larger organisations.
  • Spending set to rise: Nearly three out of five respondents (59%) plan to increase their cyber security budgets in the year ahead. New technology tops the shopping list despite this being the area where the bulk of firms appear best prepared. The experts lead the way: for example, more than half (55%) plan to increase spending on awareness training compared with only 29% of organisations that failed the cyber readiness test.
  • Evens chance of being targeted: Almost half (45%) of the organisations surveyed report at least one cyber attack in the past year. Two-thirds of those targeted suffered two or more attacks. Financial services, energy, telecoms and government entities were the prime targets.
  • Costs range up to $25m: Among organisations that were targeted in the past year, the average cost of all incidents was $229,000. For organisations with 1,000-plus employees, the average costs ranged between $356,000 in Spain and $1.05m in the US. Individual organisations faced still higher costs – up to $20m in the UK and Germany and $25m in the US.

Steve Langan, Chief Executive of Hiscox Insurance Company, commented: “This report shines a light not only on the financial consequences of cyber incidents but also on the enormous investment being made to counter the threat. Importantly, it offers a picture of what best practice looks like. Often the answer is not ‘more technology’ but proactive thinking, more rigorous processes and better trained staff. We hope it will serve as a roadmap for all those organisations that still have some way to go.”

The study also shows:

  • Keen awareness of the threat: While many firms may lack adequate defences, two-thirds of respondents (66%) rank the cyber threat alongside fraud as a top risk to their business.
  • US and UK organisations are the most cyber-ready. One in eight (13%) US and UK firms rank as cyber experts. The Netherlands emerges as the least cyber-ready country in the report. Only 7% of all Dutch organisations rank as experts.
  • German firms face costliest incidents. When asked to estimate the cost of their single largest cyber incident, German firms reported the highest average figure, at $5m. At the other end of the scale, Spanish organisations contained the cost per incident to a maximum of $800,000.
  • Experts are more proactive: Nine out of ten cyber experts (89%) have a clearly defined cyber strategy, most (72%) make changes after a breach, and nearly all (97%) provide cyber security training for the whole workforce. Seven out of ten (72%) have conducted phishing experiments on their employees and three out of five (60%) have cyber insurance.
  • More stakeholder engagement: Cyber experts get support from the top and engage a broader range of stakeholders when setting their organisation’s cyber security strategy. Experts are more than twice as likely to agree that ‘there is formal support for cyber security from business leaders and executives on an ongoing basis’ (86% versus 38% for organisations that failed the test). More than two-thirds (68%) of cyber experts involve the board and executive management in setting their cyber strategy.
  • Watershed year for cyber insurance? The EU’s General Data Protection Regulation (GDPR) comes into force in May and, with tough penalties for the loss of personal data, is expected to boost European take-up of cyber insurance. The report shows that one-third (33%) of respondents currently have standalone cyber cover while a further quarter (25%) say they plan to take out cover in the coming year. Financial services firms are currently most likely to report being covered (48%).


For further information please contact:

Abi Clark +44 (0) 20 7448 6470 [email protected]
Caroline Cecil +44 (0) 20 7610 4110 [email protected]

Notes to editors

A full copy of The Hiscox Cyber Readiness Report 2018 can be accessed from 6 February 2018.

Image removed.

About the study

Hiscox commissioned Forrester Consulting to assess organisations’ cyber readiness. In total 4,103 professionals responsible for their organisation’s cyber security strategy were contacted (1,000 plus each from the UK, US, and Germany, and 500 each from Spain and the Netherlands). Drawn from a representative sample of organisations by size and sector, these are the people on the front line of the business battle against cyber crime. While all are involved to a greater or lesser extent in their organisation’s cyber security effort, 45% make the final decision on how their business should respond. Respondents completed the online survey between 12 October and 10 November 2017.

About The Hiscox Group

Hiscox is a global specialist insurer, headquartered in Bermuda and listed on the London Stock Exchange (LSE:HSX). Our ambition is to be a respected specialist insurer with a diverse portfolio by product and geography. We believe that building balance between catastrophe-exposed business and less volatile local specialty business gives us opportunities for profitable growth throughout the insurance cycle. It’s a long-standing strategy which in 2016 helped generate gross premiums written of £2,402.6 million and a record profit before tax of £354.5 million.

The Hiscox Group employs over 2,700 people in 14 countries, and has customers worldwide. Through the retail businesses in the UK, Europe and the US, we offer a range of specialist insurance for professionals and business customers as well as homeowners. Internationally traded, bigger ticket business and reinsurance is underwritten through Hiscox London Market and Hiscox Re & ILS.

Our values define our business, with a focus on people, quality, courage and excellence in execution. We pride ourselves on being true to our word and our award-winning claims service is testament to that. For more information, visit

All press releases