Serious Cyberattacks on The Rise, Report Shows

About 75% of organizations have experienced a serious cyberattack in the past three years — up from 60% last year — according to the 2022 Cyber Security Insights Report conducted by S-RM, a global intelligence and cybersecurity consultancy.

The report, using information from 600 C-suite and IT budget holders from organizations with more than $500 million in revenue, also found that US businesses were slightly more likely to experience a serious cyberattack (77%) than those in the UK (73%), although both markets saw an increase in attacks.

The report notes that serious cyber incidents are rising. The number of survey respondents who reported experiencing a serious cyber incident within the past three years rose by 15% in 2022. “This suggests that organizations still have work to do to ensure their cyber security programs are equipped for the modern threat landscape.”

According to the survey, ransomware and denial-of-service attacks increased the most year-on-year, at 10% and 11% respectively, but instances of data theft, hacktivism and fraud were all up. “These increases are significant. As companies have spent more money on their cyber security, it might have followed that they began to experience fewer serious incidents. A better understanding of their threat profile, a well-trained workforce and more sophisticated tooling all improve a company’s ability to defend against cyber threats. But the increase in incident frequency suggests that a significant number of companies have either not invested their money in the right places or have not implemented their changes properly.”

The impact of this increase in incidents is clear. This year, the survey report says, “our respondents reported an average direct loss from a serious cyber incident of USD 1.5 million. This figure has decreased by roughly USD 300,000 from last year. When considered alongside the increase in incident frequency, this may suggest that organizations are managing the costs of cyber incidents better. However, USD 1.5 million remains significant, and this figure doesn’t take into account an incident’s long-term fallout. Over 30% of respondents told us their business had suffered reputational damage as the result of a cyber incident, while a quarter reported losing business altogether, meaning companies are feeling the effects of serious cyber incidents long after the hefty initial bill has been paid.”

 Budgets have increased, but not enough. Cyber budgets were up 5.2% year-on-year. But, says the report, “this is unlikely to be sufficient to keep pace with increasing incident frequency and the prospects of future budget increases are gloomy. Without further commitment to cyber spend, it’s unlikely that security teams will be able to keep pace with their adversaries.”

Insurance is critical, the report states, “but the market is challenging. Cyber insurance remains a key pillar for organizations in their cyber security strategy. 97% of those surveyed currently hold a cyber insurance policy. But this form of risk transfer is increasingly challenging for companies – premiums had increased by an average of 42.1% since the last renewal. When premiums and deductibles rise, and exclusions increase, it means greater risk resides, uninsured, within the business. Preparing more thoroughly for insurance applications – and considering supplementary protection, such as incident response retainers – is recommended.”

Get the full report at s-rm-cyber-security-insights-report-2022.original.pdf (s3.us-east-1.amazonaws.com).