If the breach doesn’t get you, the fines will. According to the latest Cyber Readiness Report by SMB-focused insurer Hiscox, after being breached, one in three organizations were hit with fines large enough to impact their financial health.
This could result from doing business in multiple markets - California, the EU, and Canada, for example - and accruing respective fines of thousands or even millions of dollars.
This is in addition to the heavyweight threats of ransomware and AI-powered attacks. These financial risks underscore the importance of maintaining cyber readiness for businesses to stay in the black.
The Far Reach of a Modern Cyberattack
When companies experience cyber-attacks, the whole enterprise feels it. Trust is lost, and that dip in confidence is reflected in consumer attitudes - and eventually, revenue.
Organizations took on the additional cost of notifying affected customers while struggling to drum up new business. Not surprisingly, nearly one in three employees has experienced burnout at some point, and key performance indicators like stock prices often drop.
These business repercussions are in addition to the actual cost of the cyber-attack itself: loss of productivity, downtime costs, personnel changes, PR cleanup, and ransom payments.
Increasingly, the ripples can include business humiliation and a loss of competitive edge. “Cyber-criminals are now much more focused on stealing sensitive business data – things like contracts, executive emails, financials, and intellectual property – because it’s easier to monetize than personal information,” states Eddie Lamb, global head of cyber at Hiscox. “Once stolen, they demand payment to avoid public exposure, pricing threats based on reputational damage.”
The fact that attackers are seeing more success by threatening company data than their customers' data could reveal where businesses’ real priorities lie.
Ransomware Still Hits Hard: Majority Say Make Payments Public
Ransomware and AI-powered attacks are perennial favorites among attackers, and they continue to push companies to invest in cyber insurance and shore up their security status.
According to Hiscox, 60% of surveyed organizations had experienced a cyber-attack within the last twelve months. Larger companies ($10M or more in annual revenue) were likely to experience more cyberattacks than smaller ones ($1M or less), as were companies with more employees. This could be due to the statistical probability of error, combined with the ever-present human element: in other words, more people to click on phishing emails or make critical errors.
Of those hit with ransomware, 80% paid a ransom - some paying multiple times to save valuable data. Of those that paid, only three-in-five got any of their data back, and as many as a third of those were hit with more requests for money. “Hiscox deals mainly with small businesses when it comes to cyber insurance,” says Caspar Rogers, senior insurance broker at Assured. “These businesses have less money to invest in cybersecurity, so they have weaker controls and reduced ability to recover without paying a ransom. 80% is extortionately high but heavily skewed by the data being focused on much smaller businesses.”
But like any cyber-attack, ransomware attacks have a wider ripple effect than just the company alone. Customers and sensitive information are often the biggest victims, with many calling for more accountability. According to the report, 71% of firms believe that ransom payment amounts should be publicly disclosed.
Rogers says: “Businesses should have to disclose ransomware - but not publicly. Reporting to law enforcement (NCSC) when a ransom demand is made and whether or not it is paid should be mandatory. We would then have a verifiable source of truth for tracking the ransomware epidemic.”
Full Speed Ahead
There is good news. The aggressive impact of cyber threats appears to have had a net positive effect on organizations; 83% reported increased cyber resilience this year.
Additionally, nearly all (94%) SMEs plan to increase their spending on cybersecurity and data protection over the next twelve months. As the report notes, “rather than standing still, [SMEs] are investing, training, and updating systems to keep pace with the evolving landscape.”
This additional focus is sure to have an impact. Initiatives in flight include:
Updating employee cyber training (70%)
Hiring additional staff to increase cyber resilience (60%)
Conducting quarterly supplier and partner risk assessments (88%)
Rogers says: “Investment in cybersecurity training will, of course, lead to better security. But it’s important to invest in the basics first – multi-factor authentication for remote access, doing a complete health check with your access and identity controls, and having next-gen anti-virus or detection response tooling and documented and tested disaster recovery processes. Spending in the right areas is what’s important.”
The Human Risk Element
An overall increase in cybersecurity capabilities needs to be done with an understanding of where those investments can be best spent.
“Cyber risk is as much about people as it is about technology,” states Diva Aoun, head of cyber, Hiscox Europe. “[G]etting support with the range of cyber risks your business faces – things like business email compromise, payment diversion fraud, and social engineering – is crucial.”
Powered by AI and often leading to ransomware attacks, modern social engineering manoeuvres target employees’ lack of expertise and circumvent expensive cybersecurity technology.
Fortra’s 2025 State of Cybersecurity Survey reveals that organizations find social engineering an even bigger risk than last year, with “evolving technology” now a top concern for 50% of respondents. Recognizing things like:
Word-perfect AI-crafted phishing scams
Highly customized AI-generated BEC emails
Is a genuine concern.
Fortra Human Risk Management (HRM) helps companies prepare for the kinds of prescient, human-targeted attacks they now face. Today’s breaches have a lot at stake, from hefty fines to loss of IP to the irrecoverable costs of customer respect.
As businesses train their users to recognize phishing ploys, learn about emerging threats, and improve their cybersecurity awareness, they protect more than their data. They are insuring their bottom line.
Break the Attack Chain with Fortra®
Advanced offensive and defensive security solutions. Complete attack chain coverage. Shared threat intel and analytics. Add Fortra® to your arsenal.
