Cyber insurance company Hiscox surveyed 4,000 organizations and rated them on a cyber readiness model based on their security posture.
Cyber insurance company Hiscox surveyed 4,000 organizations and rated them on a cyber readiness model based on their security posture.

The majority of businesses lack cybersecurity expertise to prevent cyberattacks and protect customers, according to a recent study.

Cyber insurance company Hiscox surveyed 4,000 organizations and rated them on a  cyber readiness model that divided respondents into ‘cyber novices', ‘cyber intermediates' and ‘cyber experts' and found that only 11 percent scored highly enough in both cyber security strategy and the quality of its execution to qualify as cyber security ‘experts'

Nearly three quarters, 73 percent, fell into the novice category but not for underinvestment in technology but because firms are failing to support their investment in security technology with a formal strategy, sufficient resourcing and training, and sound processes.

On average, the study fund experts were more proactive with 89 percent having a clearly defined cyber strategy, 72 percent being prepared to make changes after a breach and 97 percent incorporating security training and awareness throughout the workforce.

Researchers noted that divide in cyber readiness between the cyber novices and the cyber experts is mirrored by the firms' expenditures on IT and the proportion of it they devote to cyber security. The study found the average cyber expert spends $2.5 million a year on cyber defense compared while the average cyber novice  only spends $980,000 although it's worth noting that a higher percentage of firms rated ‘experts' were larger firms which would likely have more resources to dedicate.

Dr. Anton Grashion a manager at Cylance noted the complexity of being expert enough to chase threats into the organization if they have not been prevented is also exacerbated by the growing cyber skills shortage.

"Although it was a relatively small data set from which to assess the security expertise of a territory, some of the problem boils down to increasing complexity both in threat landscape and the complexity of building the countermeasures,” Grashion said. “Using the example of the NHS and WannaCry; if the malware had been stopped before it detonated, much of the knock on effect would have been avoided.”

Grashion also noted the basic importance of organizations ensuring all of their systems are patched adn up to date. Experts agree, Ryan Wilk, Vice President of Customer Success at NuData Security said Despite a flurry of high-profile breaches, ransoms and other security incidents, many businesses still think about cybersecurity only as an abstract threat.

"The common wisdom amongst security professionals in 2018 is that if you haven't already been breached, you will be," Wilk said. "Companies need to match this sustained threat level with cyber policies and products that protect them, their customers and employees as well as attempting to raise general awareness of cybersecurity."

Wilk added that firms can no longer rely on passwords and usernames to keep themselves safe from cybercrime, and that more stringent security measures such as passive biometrics or two-factor authentication will need to be adapted.