If it seems like the number of cyber attacks is growing quickly, it isn’t just your imagination. Nine of ten businesses experienced at least one hacking incident in the past year, according to the results of a survey of business risk managers conducted onsite at the Risk and Insurance Management Society Conference by specialty insurer Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re.


“Hackers are even more relentless,” says Eric Cernak, Cyber Practice Leader for Munich Re. “Sixty-four percent of risk managers say their organization has experienced more than six hacking incidents in the last year—up from 32 percent in 2015. U.S. businesses are under constant assault.”


Given the proliferation of electronic devices and connectivity, the Internet of Things (IoT), businesses are increasingly vulnerable, especially when employees use personal devices that connect to the company’s network or use them to access company information. Indeed, risk managers say they are worried about the safety and security of IoT devices and— notably— only 28 percent of them consider IoT devices safe for business use. Despite these concerns, more than half (56 percent) of the survey respondents say their company has implemented or plans to implement such devices.


“As businesses use IoT devices to improve productivity and efficiency, executives must think about the security costs,” says Cernak. “Hackers are always looking for ways to access company business systems, and connected devices provide additional infiltration points. It’s important to control security features on these devices and monitor employee use.”


HSB conducts the survey annually, so this year’s responses may be compared with those from last year to see how perceptions change. For example, when asked about the risk management services they have deployed to combat cyber risk, risk managers cited encryption (44 percent; up from 25 percent in 2015); intrusion detection/penetration testing (28 percent; down from 32 percent last year) and employee education programs (12 percent; down from 25 percent last year).


Considering the increased availability and interest in cyber insurance, one might think that most risk managers would have purchased the coverage for their organizations. That isn’t necessarily the case, however. For additional protection, 50 percent of the respondents said their organization has either purchased cyber insurance for the first time or increased its level of coverage in the last year. Interestingly, 30 percent of the respondents said their business doesn’t have any level of cyber insurance coverage. Primary reasons cited for not adopting such coverage include its perceived complexity (44 percent), lack of a sufficient threat (34 percent) and cost (22 percent).


One of the survey responses that I find most interesting is the decreasing emphasis on employee education, especially since employees increasingly use their own smart phones, tablets and laptops, which creates more entry points which are vulnerable to cyber attack. One would think that initiatives to educate employees about the different approaches cyber attackers employ—such as phishing attacks that dupe employees to download malware—and explain how to avoid having systems compromised could play a significant role in preventing cyber attacks, but that doesn’t seem to be the case.


What are your thoughts on the rise of cyber attacks? Do you see an increased focus on initiatives to prevent such attacks?