2023 Cyber Resiliency Report
As cyberattacks become more frequent and complex, it's critical that businesses understand the threat and take action to become cyber resilient.
Hanover Specialty's 2023 Cyber Resiliency Report reveals that while small- and mid-sized business decision-makers have high confidence in their organization's cybersecurity posture, their businesses are generally unprepared for the threat of a cyberattack.
This affirms the important role independent insurance agents can play as experienced advisers, offering risk management consultation and access to services to help business leaders protect their operations and maximize the benefits of their cyber insurance programs.
Key findings
Only 7%
of small- to mid-sized businesses think it's very likely that their business will be impacted by a cyberattack in the next 12 months.
Nearly half
report their business, suppliers or customers were impacted by a data breach or cyberattack over the last 12 months.
1 in 2
report their business has not conducted a business-wide cyber risk assessment in the last 12 months.
Perception vs. reality
While these decision makers do not think their business will be impacted by a cyberattack in the coming year, most respondents engage in activities that raise the risk of a data breach or cyberattack.
67%
store business documents in the cloud
64%
access business email on personal devices
33%
connect business devices to public or unsecured Wi-Fi networks
What this means for agents
This presents an opportunity for independent agents and brokers to discuss these exposures with their customers, especially since business leaders surprisingly say they are concerned about cyber risk—revealing a disconnect between the perceived likelihood of an attack and the reality of ever-present cyber risk. Business leaders note concern about:
71%
Destruction or corruption of business files and data from a ransomware attack
78%
Lost access to business computer systems and software
65%
Their business’s website being attacked by hackers
Out of sight, out of mind
As new risks emerge, businesses are overlooking specific threats.
BREACH OF PII
While breaches of personally identifiable information (PII) were once a top concern, now, only 34% of business leaders say they’re very concerned about a breach. Yet with double extortion ransomware attacks, the threat of a breach of PII is very real. In these events, bad actors:
- Encrypt data on the victim's system
- Create a copy of the data and exfiltrate from the business' network
- Threaten to leak the data on the dark web or to the public
During these events, cybercriminals demand a ransom twice.
SUPPLY CHAIN ATTACKS
Most businesses protect against, and plan for, scenarios in which they are the direct target of a cyberattack. But bad actors are taking advantage of supply chains, exploiting vulnerabilities in a business' partners, to gain access to their end target indirectly.
Yet 63% of businesses say they do not evaluate the security practices of potential vendors and service providers before working with them.
With businesses increasingly turning to outsourcing as a solution to today’s challenging labor environment, the threat of being a victim of an attack continues to grow.
Addressing cybersecurity gaps
Help customers become cyber resilient
When it comes to cyber threats, most small- and mid-sized businesses do not have basic prevention measures in place. This creates an opportunity for independent agents and brokers to talk with their customers about the importance of proactively managing cyber risk and leveraging cybersecurity services, like those offered through the Hanover CyberSecure ProgramTM, to help prevent cyber losses.
VULNERABILITIES Most businesses do not have basic prevention measures in place. | HOW YOU CAN HELP Offer solutions from leading service providers to help address gaps. |
|---|---|
| Cybersecurity training | eRiskHub(R) |
| Multi-factor authentication (MFA) | HYPR |
| Data protection and recovery | Metallic |
| Endpoint protection | |
| Incident response planning | eRiskHub(R) |
| Managed detection and response |
|
| Post-breach support | Cyber incident response partners |
About The Hanover CyberSecure Program
With thousands of cyber risk management service providers in the marketplace, it can be challenging to know which industry experts to turn to. The Hanover CyberSecure Program brings together a variety of technology solutions offered through vetted industry partners, making it easy for policyholders to leverage the services to help protect their businesses from cyber threats and prevent cyber losses. These services are offered at no charge or at a discount.
Amidst the digital landscape's growing complexities, this new data unveils a stark truth: businesses are at a crossroads between acknowledging the looming cyber threat and taking meaningful action. With a small percentage of business decision-makers thinking a cyber incident is 'very likely,' the difference between perception and reality is glaring. Business leaders are in need of education regarding risk mitigation available to them to reduce the risk of cyber loss, which creates an opportunity for agents to better serve their customers."
- Eric Cernak, head of cyber at The Hanover
Survey method
The research was conducted online in the United States by The Harris Poll on behalf of Hanover among 300 small business owners and executives defined as U.S. adults ages 21+ who are employed full-time or part-time, have a title of owner/president/partner/C-suite executive at their company, and the company employs 3-249 employees. The survey was conducted August 17-24, 2023. Data were sampled to be representative by employee size to ensure they were in line with their actual proportions in the population.
Respondents for this survey were selected from among those who have agreed to participate in our surveys. The sampling precision of Harris online polls is measured by using a Bayesian credible interval. For this study, the sample data is accurate to within + 5.63 percentage points using a 95% confidence level. This credible interval will be wider among subsets of the surveyed population of interest.
For complete survey methodology, including weighting variables and subgroup sample sizes, please contact Kyle Tildsley at ktildsley@hanover.com.
2023 Cyber Resiliency Report
As cyberattacks become more frequent and complex, it's critical that businesses understand the threat and take action to become cyber resilient.
Hanover Specialty's 2023 Cyber Resiliency Report reveals that while small- and mid-sized business decision-makers have high confidence in their organization's cybersecurity posture, their businesses are generally unprepared for the threat of a cyberattack.
This affirms the important role independent insurance agents can play as experienced advisers, offering risk management consultation and access to services to help business leaders protect their operations and maximize the benefits of their cyber insurance programs.
Key findings
Only 7%
of small- to mid-sized businesses think it's very likely that their business will be impacted by a cyberattack in the next 12 months.
Nearly half
report their business, suppliers or customers were impacted by a data breach or cyberattack over the last 12 months.
1 in 2
report their business has not conducted a business-wide cyber risk assessment in the last 12 months.
Perception vs. reality
While these decision makers do not think their business will be impacted by a cyberattack in the coming year, most respondents engage in activities that raise the risk of a data breach or cyberattack.
67%
store business documents in the cloud
64%
access business email on personal devices
33%
connect business devices to public or unsecured Wi-Fi networks
What this means for agents
This presents an opportunity for independent agents and brokers to discuss these exposures with their customers, especially since business leaders surprisingly say they are concerned about cyber risk—revealing a disconnect between the perceived likelihood of an attack and the reality of ever-present cyber risk. Business leaders note concern about:
71%
Destruction or corruption of business files and data from a ransomware attack
78%
Lost access to business computer systems and software
65%
Their business’s website being attacked by hackers
Out of sight, out of mind
As new risks emerge, businesses are overlooking specific threats.
BREACH OF PII
While breaches of personally identifiable information (PII) were once a top concern, now, only 34% of business leaders say they’re very concerned about a breach. Yet with double extortion ransomware attacks, the threat of a breach of PII is very real. In these events, bad actors:
- Encrypt data on the victim's system
- Create a copy of the data and exfiltrate from the business' network
- Threaten to leak the data on the dark web or to the public
During these events, cybercriminals demand a ransom twice.
SUPPLY CHAIN ATTACKS
Most businesses protect against, and plan for, scenarios in which they are the direct target of a cyberattack. But bad actors are taking advantage of supply chains, exploiting vulnerabilities in a business' partners, to gain access to their end target indirectly.
Yet 63% of businesses say they do not evaluate the security practices of potential vendors and service providers before working with them.
With businesses increasingly turning to outsourcing as a solution to today’s challenging labor environment, the threat of being a victim of an attack continues to grow.
Addressing cybersecurity gaps
Help customers become cyber resilient
When it comes to cyber threats, most small- and mid-sized businesses do not have basic prevention measures in place. This creates an opportunity for independent agents and brokers to talk with their customers about the importance of proactively managing cyber risk and leveraging cybersecurity services, like those offered through the Hanover CyberSecure ProgramTM, to help prevent cyber losses.
VULNERABILITIES Most businesses do not have basic prevention measures in place. | HOW YOU CAN HELP Offer solutions from leading service providers to help address gaps. |
|---|---|
| Cybersecurity training | eRiskHub(R) |
| Multi-factor authentication (MFA) | HYPR |
| Data protection and recovery | Metallic |
| Endpoint protection | |
| Incident response planning | eRiskHub(R) |
| Managed detection and response |
|
| Post-breach support | Cyber incident response partners |
About The Hanover CyberSecure Program
With thousands of cyber risk management service providers in the marketplace, it can be challenging to know which industry experts to turn to. The Hanover CyberSecure Program brings together a variety of technology solutions offered through vetted industry partners, making it easy for policyholders to leverage the services to help protect their businesses from cyber threats and prevent cyber losses. These services are offered at no charge or at a discount.
Amidst the digital landscape's growing complexities, this new data unveils a stark truth: businesses are at a crossroads between acknowledging the looming cyber threat and taking meaningful action. With a small percentage of business decision-makers thinking a cyber incident is 'very likely,' the difference between perception and reality is glaring. Business leaders are in need of education regarding risk mitigation available to them to reduce the risk of cyber loss, which creates an opportunity for agents to better serve their customers."
- Eric Cernak, head of cyber at The Hanover
Survey method
The research was conducted online in the United States by The Harris Poll on behalf of Hanover among 300 small business owners and executives defined as U.S. adults ages 21+ who are employed full-time or part-time, have a title of owner/president/partner/C-suite executive at their company, and the company employs 3-249 employees. The survey was conducted August 17-24, 2023. Data were sampled to be representative by employee size to ensure they were in line with their actual proportions in the population.
Respondents for this survey were selected from among those who have agreed to participate in our surveys. The sampling precision of Harris online polls is measured by using a Bayesian credible interval. For this study, the sample data is accurate to within + 5.63 percentage points using a 95% confidence level. This credible interval will be wider among subsets of the surveyed population of interest.
For complete survey methodology, including weighting variables and subgroup sample sizes, please contact Kyle Tildsley at ktildsley@hanover.com.