Multiple threat vectors and variable threat actors, and, perhaps most worrying, repeated attacks on companies by cyber-crime pose a serious risk to organisations small and large alike.

According to the Hiscox Cyber Readiness Report 2021, one-in-six of all firms attacked this year (17%) said the impact was serious enough to ‘materially threaten the solvency or viability of the company’.

Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa, says the report underscores the immense challenge that organisations face when it comes to securing the business and the people within it.

“This is the time for the organisation to turn and face the threat head on,” she says. “It is too risky to think that these attacks happen to someone else, or that your systems are too good to be breached. There is always a vulnerability, or a bad decision made by an employee.”

Perhaps the most extraordinary point to come out of the Hiscox report was the fact that more than a quarter of those organisations hit by cyber-attacks were hit more than five times in a year. Forty-seven percent of enterprise scale firms were targeted more than six times, and 33% fought off attackers more than 25 times. That translates to 33% of companies being attacked on average twice a month. It is not just an attack, pay the ransom and go. It is attack, attack again and keep on attacking.

“The more successful a breach, the more the organisation is targeted,” says Collard. “The victims of these attacks are paying the ransom and then they are being hit again. The problem is that many organisations are just paying up to protect sensitive information and this is encouraging the attackers to keep on coming back for more.” Just over half of those targeted (58%) paid a ransom – either to recover data or to prevent publication of sensitive information.

When asked about the first point of entry of the attackers, 37% of respondents mentioned their corporate-owned servers, 31% their cloud-based servers, followed by company websites (29%) and employee error such as phishing or spoofing (28%).

Collard believes that organisations can fight back and put themselves in the driver’s seat. This starts with investing into people, process and technologies and applying best practices across the organisation. It pays off to have people dedicated to cybersecurity, to put investments into people and technology that allow for the organisation to achieve security maturity.

“If you achieve a certain level of maturity in your people training, processes and technology, then you can mitigate the impact of these incidents far more effectively,” says Collard. “If you do not, the impact will be far more severe. The Hiscox research shows that organisations with more mature security fare best when attacks happen. They had less ransomware attacks and when hit, recovered more quickly. You need to ensure that your people know and understand your security policies, and really do recognise the value of these policies in protecting both the organisation’s data and their own.”

The focus for the future should not be on the security threats and concerns that the organisation cannot control, but on the internal systems and processes it can control. Ensure that vulnerabilities are minimised by ensuring that patch management and updates are properly managed. Hire the right people and make sure they have the right tools at their disposal. And train everyone, all the time, so that security is embedded into the very fabric of the company and its culture.

“The future is complicated; security even more so,” concludes Collard. “But it pays off to invest into security best practices and processes that put you back in control.”