Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: This week is dominated by the various findings of the Hiscox Cyber Readiness Report. For 50% of firms, could the cost of cybersecurity risk really be less than €3.5k per annum? In other news, the 5 key things the White House recommends you do to defend against ransomware, and the one thing they did not mention. And finally, why professional services firms are targeted by cyber criminals.
This week’s action: Check my maths, and check your numbers.
1: Hiscox Cyber Readiness Report
Hiscox, one of the leading cyber insurance providers in Ireland, has released their annual Cyber Readiness Report. It is based on a representative survey of about 6,000 firms across 8 countries, including 320 Irish companies.
There are many interesting statistics in the report, two of which I dig into later below because they question my career choice!
While the report itself is interesting, the ‘Key Findings’ section on Hiscox’s Irish website is insightful, as it focuses on the Irish statistics.
– Almost 40% of Irish firms in the survey were ranked as “cyber novices”, as they were missing basic defences.
– It is not a coincidence that almost 40% of Irish firms surveyed suffered a cyber attack (with 70% of these being attacked more than once).
– It is also not a coincidence that phishing emails were the entry doorway for 65% of attacks in Ireland (compared to 28% across the globe). This suggests Irish firms are behind the curve when it comes to training their staff so they are less likely to be fooled by a phishing email.
– Finally, it is also not a coincidence that 75% of Irish firms hit by ransomware paid the ransom. This suggests they had no effective alternative (e.g. reliable backups).
Read more: https://www.hiscox.ie/commercial/cyber-readiness (and mentioned in Sunday Times Business & Money of June 6th, 2021)
2: The White House’s 5 key things you need to do now to defend against cyber attacks (and the one key thing they have ignored)
In a memo issued this month, the Biden administration is urging corporate executives and business leaders to take immediate steps to prepare for ransomware attacks. “Companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively”.
The memo gives five best practices including: Taking / testing / securing backups; updating / patching systems promptly; testing your incident response plans; using 3rd party penetration testers to test your security; segmenting your network so exposure of one device does not expose your whole network.
Who am I to disagree with the White House? But.. I would add a sixth item: Staff training. Given 65% of attacks on Irish firms last year succeeded because of phishing emails, I’d put it to the top of the list.
3: Law firms are attracting more cyber attacks
Law firms are “digital playgrounds” for cyber criminals because many of their “common businesses practices” make them easy targets, resulting in “avoidable risks to their clients’ sensitive data”.
For example, many firms use email to share sensitive data, others rely on third-party solutions for file sharing but don’t ask the solution providers the necessary difficult questions about cybersecurity, and firms fail to regularly train their staff about cybersecurity scams.
While this report focuses on law firms, all professional services firms should take note. You may not store lots of data for your clients, but you could have some very valuable data points and pathways into your clients. If you are attacked, the financial cost of a paying a ransom or restoring backups is not your key concern. The key concern is the impact on your professional reputation and the threat to business survival. If you are easily substituted, the reality is you will lose clients. Your clients will deem the risk of staying with you as higher than the cost of switching to a competitor. After the horse has bolted, you may be bolting the door of your office for the last time.
1: €7k was the median cost of a cyber attack to an Irish firm in the last 12 months, according to a Hiscox survey.
While I would prefer that you focus on the highest cost stated in the Hiscox survey (almost €750k), I can’t ignore this €7k figure.
If I am interpreting this figure correctly, half of the cyber attacks on the Irish firms included in this survey cost the victim less than €7k.
None of us would like to lose 7k but it’s a very different pain to the loss of 750k.
I earn my living advising firms about cybersecurity. So, from my biased position, I would raise two points so you keep this €7k figure in perspective:
1. It’s unclear what types of attacks, firms, and costs were used as data points to calculate this figure. Page 9 of the report discusses the breakdown by company size and industry, but it doesn’t show the detail by country, attack type or cost category.
2. There’s a 50% chance that the cost to your firm will be higher than €7k, with the highest cost among those surveyed being almost €750k. As stated on page 9 of the report: “If one only looks at average or median figures, the financial impact may appear containable. But behind these figures is a range of outcomes that should send a chill down any CEO’s spine”.
PS Median figures are far more insightful than averages, as they aren’t as influenced by massive edge cases. This will become evident if next year’s report includes the HSE’s €100m+ costs.
2: 39% of the Irish firms included in the Hiscox survey were victims of a cyber attack in the last year.
Let’s do some ‘back of an envelope’ numbers:
As 70% of these firms suffered more than one attack, let’s round this up to 50% of Irish firms will be a victim, with the median cost of an attack is €7k (as stated before).
If my maths are correct (see my ‘one action’ below), this suggests the Expected Monetary Value (EMV) of cyber risk to half of Irish firms is no more than €3.5k per annum (50% likelihood x €7k median cost].
In other words, half of Irish firms should spend no more than €3.5k per annum on cybersecurity as the expected loss is no more than €3.5k per annum.
I would interpret this in one of three ways:
1 – My maths are wrong.
2 – My career choice is wrong.
3 – Understanding the data points that fed into this number is critical.
3 – Confirming whether you are likely to be in the bottom 50% is critical, as I discuss in my ‘one action’ below.
ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.
1: Check my maths and check your numbers:
Now is the time for all of the accountants and actuaries reading this to tell me where I went wrong in my calculations above.
Otherwise, it suggests that for half of Irish firms, the expected monetary value of cybersecurity risk is no more than €3.5k per annum.
Think about whether your firm could fall into this lower half of firms.
If it doesn’t and you’re in the top 50%, my maths would suggest that the cost of each successful attack on your firm is likely to be between €7k and €750k so the amount you should be spending on cybersecurity is somewhere betweem €3.5k and €375k pa.
Regardless, if you do nothing else, make sure your firm is not one of the 17% of surveyed firms that said their very survival was threatened as a result of the attack.