The average cost of a cybersecurity attack has been increasing over time. The rewards to hackers in cyberheists have also been increasing, and this has been motivating them to come up with even better tools and techniques in order to allow them to steal more money and data. Several cybersecurity companies have listed their estimates for the average costs of cyber attacks in 2017/2018.
This article is an excerpt taken from the book, Hands-On Cybersecurity for Finance written by Dr. Erdal Ozkaya and Milad Aslaner. In this book you will learn how to successfully defend your system against common cyber threats, making sure your financial services are a step ahead in terms of security.
In this article, you will learn the different losses an organization faces post a cyber attack.
According to IBM—a tech giant both in hardware and software products—the average cost of a cybersecurity breach has been increasing and is now at $3,860,000. This is a 6.4% increase in their estimate for 2017. The company also estimates that the cost of each stolen record that has sensitive information in 2018 is at $148, which is a rise of 4.8% compared to their estimate for 2017. The following is IBM’s report on the cost of a cyber breach in 2018:
This year’s study reports the global average cost of a data breach is up 6.4% over the previous year to $3,860,000 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148.
The cost of different cyber attacks
While it might be easy to say that the average cost of a hack is $3,000,000, not all types of attacks will be around that figure. Some attacks are more costly than others. Costs also differ with the frequency of an attack against an organization. Consequently, it’s good to look at how costs vary among common cyber attacks. The following screenshot is Accenture’s graphical representation of the costs of the most common attacks based on their frequency in 2016 and 2017. This data was collected from 254 companies around the world:
To interpret this data, one should note that frequency was taken into consideration. Consequently, the most frequent attacks had higher averages. As can be seen from the graph, insider threats are the most frequent and costly threats to an organization. Attacks related to malicious insiders led to losses averaging $173,516 in 2017. The reason for this high cost is due to the amount of information that insider threats possess when carrying out an attack. Since they’ve worked with the victim company for some time, they know exactly what to target and are familiar with which security loopholes to exploit. This isn’t a guessing game but an assured attack with a clear aim and a preplanned execution. According to the graph by Accenture, malicious insiders were followed by denial of service (DoS) attacks at an annual cost of $129,450, and then malicious code at an annual cost of $112,419.
However, when frequency is not considered, there are several changes to the report, as can be seen from the following graphical representation:
This graph is representative of the situation in the real world. As can be seen, malware attacks are collectively the costliest. Organizations hit by malware lose an average of $2,400,000 per attack. This is because of the establishment of an underground market that’s supports the quick purchase of new malware and the huge number of unpatched systems. Malware has also become more sophisticated due to highly skilled black hats selling their malware on the dark web at affordable prices. Therefore, script kiddies have been getting highly effective malware that they can deploy in attacks. Web-based attacks come in second at $2,000,000, while DoS attacks are ranked third at $1,565,000. DoS attacks are ranked high due to the losses that they can cause a company to incur.
Breakdown of the costs of a cyber attack
The direct financial losses that have been discussed are not as a result of money stolen during an attack or records copied and advertised as for sale on the deep web. All cyber attacks come bundled with other losses to the company, some of which are felt even years after the attack has happened. This is why some attacks that do not involve the direct theft of money have been ranked among the most costly attacks. For instance, DoS does not involve the theft of money from an organization, yet each DDoS attack is said to average at about $1,500,000. This is due to the other costs that come with the attacks. The following is a breakdown of the costs that come with a cyber attack.
During a cyber attack, productive processes in some organizations will come to a halt. For instance, an e-commerce shop will be unable to keep its business processes running once it’s attacked by a DDoS attack or a web-based attack. Organizations have also had their entire networks taken down during attacks, preventing any form of electronic communication from taking place. In various industries, cyber attacks can take a toll on production systems. Weaponized cyber attacks can even destroy industrial machines by messing with hardware controls. For instance, the Stuxnet cyberattack against Iran’s nuclear facility led to the partial destruction of the facility. This shows the affect that an attack can have even behind highly secured facilities.
With the looming cyber warfare and worsening political tensions between countries, it can only be feared that there will be a wave of cyber attacks targeted at key players in the industrial sector. There has been a radical shift in hacking tendencies in that hackers are no longer just looking to embezzle funds or extort money from companies. Instead, they are causing maximum damage by attacking automated processes and systems that control production machines. Cyber attacks are heading into a dangerous phase where they are able to be weaponized by competitors or enemy states, enabling them to cause physical damage and even the loss of life. There are fears that some states already have the capabilities to take over smart grids and traffic lights in US cities. ISIS, a terrorist group, was once also reported to be trying to hack into the US energy grid.
In any case, production losses are moving to new heights and are becoming more costly. A ransomware attack in 2016 called WannaCry was able to encrypt many computers used in industrial processes. Some hospitals were affected and critical computers, such as those used to maintain life support systems or schedule operations in the healthcare facilities, were no longer usable. This led to the ultimate loss: human life. Other far-reaching impacts are environmental impacts, regulatory risks, and criminal liability on the side of the victim.
Cybercrime has become an economic disaster in many countries. It is estimated that at least $600,000,000,000 is drained from the global economy through cybercrime annually. This is quite a huge figure and its impact is already being felt. $600,000,000,000 is an enormous figure and the loss of this has affected many factors, including jobs. Cybercrime is hurting the economy and, in turn, hurting the job market (https://www.zdnet.com/article/cybercrime-drains-600-billion-a-year-from-the-global-economy-says-report/):
Global businesses are losing the equivalent of nearly 1% of global Gross Domestic Product (GDP) a year to cybercrime, and it’s impacting job creation, innovation, and economic growth.
So says a report from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS), which estimates that cybercrime costs the global economy $600,000,000,000 a year—up from a 2014 study which put the figure at $445,000,000,000.
Companies are being targeted with industrial espionage and their business secrets are being stolen by overseas competitors. In the long run, companies have been facing losses due to flooding of markets with similar but cheap and substandard products. This has forced companies that were once growing fast, opening multiple branches, and hiring thousands, to start downsizing and retrenching their employees. In the US, it’s estimated that cybercrime has already caused the loss of over 200,000 jobs. The loss of jobs and the drainage of money from a country’s economy has made cyber crime a major concern globally. However, it might be too late for the loss to be averted. It’s said that many industries have already had their business secrets stolen. In the US, it’s estimated that a large number of organizations are those that are not aware of having been breached and their business secrets stolen. Therefore, the economic loss might continue for a while.
In 2015, then US president Barack Obama agreed to a digital truce to put an end to the hacking of companies for trade secrets because US companies were losing too much data. The following is a snippet from the BBC (https://www.bbc.co.uk/news/world-asia-china-34360934) about the agreement between Xi and Obama:
US President Barack Obama and Chinese President Xi Jinping have said they will take new steps to address cybercrime.
Speaking at a joint news conference at the White House, Mr. Obama said they had agreed that neither country would engage in cyber economic espionage.
Political tensions with China due to Donald Trump’s presidency are threatening this truce, and an increase in hacking could occur against US companies if these tensions run too high. Unlike Obama, Trump is taking on China head-on and has been hinting at retaliatory moves, such as cutting off China’s tech companies, such as Huawei, from the US market. The US arrests of Huawei employees are likely to cause retaliatory attacks from the Chinese; China may hack more US companies and, ultimately, the two countries might enter into a cyber war.
Damaged brand and reputation
An organization will spend a lot of money on building its brand in order to keep a certain market share and also to keep investors satisfied. Without trusted brand names, some companies could fall into oblivion. Cyber attacks tend to attract negative press and this leads to damaging a company’s brand and reputation. Investors are put in a frenzy of selling their shares to prevent further loss in value. Shareholders that are left holding onto their shares are unsure whether they will ever recover the money trapped in their shares. Consequently, customers stop trusting the victim company’s goods and services. Competitors then take advantage of the situation and intensify marketing in order to win over the customers and investors of the victim company. This could happen within a day or a week due to an unpreventable cyber attack. Investors will always want to keep their money with companies that they trust, and customers will always want to buy from companies that they trust. When a cyber attack breaks this trust, both investors and customers run away. Damage to a brand is very costly. A good example is Yahoo, where, after three breaches, Verizon purchased the company for $4,000,000,000 less than the amount offered in the previous year, before the hacks were public knowledge. Therefore, in a single company, almost $4,000,000,000 was lost due to the brand-damaging effects of a cyber attack. The class-action law suits against Yahoo also contributed to its lower valuation.
Loss of data
Despite the benefits, organizations are said to have been sluggishly adopting cloud-based services due to security fears. Those that have bought into the idea of the cloud have mostly done this halfway, not risking their mission-critical data to cloud vendors. Many organizations spend a lot of resources on protecting their systems and networks from the potential loss of data. The reason that they go through all of this trouble is so that they don’t lose their valuable data, such as business secrets. If a hacker were to discover the secret code used to securely unlock iPhones, they could make a lot of money selling that code to underground markets. This is because such information is of high value to a point where Apple was unwilling to give authorities a code to compromise the lock protection and aid with the investigations of terrorists. It wasn’t because Apple isn’t supportive of the war against terrorism; it was instead a decision made to protect all Apple users. Here is a snippet from an article (https://www.theguardian.com/technology/2016/feb/22/tim-cook-apple-refusal-unlock-iphone-fbi-civil-liberties) on Apple’s refusal to unlock an iPhone for the FBI:
“Apple boss Tim Cook told his employees on Monday that the company’s refusal to cooperate with a US government to unlock an iPhone used by Syed Farook, one of the two shooters in the San Bernardino attack, was a defense of civil liberties.”
No company will trust a third party with such sensitive information. With Apple, if a hacker were to steal documentation relating to the safety measures in Apple devices and their shortcomings, the company would face a fall in share prices and a loss of customers. The loss of data is even more sensitive in institutions that offer far more sensitive services. For instance, in June 2018, it was reported that a US Navy contractor lost a large amount of data to hackers. Among the sensitive data stolen were sensitive details about undersea warfare, plans of supersonic anti-ship missiles, and other armament and defense details of US ships and submarines.
Fines, penalties, and litigations
The loss of data in any cyber attack is recovered by all organizations, particularly if the data lost is sensitive in nature. The loss of health, personal, and financial data will cause a company agony when it considers the consequences that will follow. The loss of these types of data comes with many more losses, in the form of fines, penalties, and litigations. If a company is hacked, instead of receiving consolation, it’s dragged into court cases and slapped with heavy fines and penalties.
Several regulations have been put in place to ensure the protection of sensitive, personally-identifiable information (PII) by the organizations that collect them. This is due to the impact of the theft of such information. The demand for PII is on the rise on the dark web. This is because PII is valuable in different aspects. If, for instance, hackers were to discover that some of the data stolen from a hospital included the health information of a politician, they could use this data to extort huge amounts of money from the politician. In another scenario, hackers can use PII to social engineer the owners. Armed with personal details, such as name, date of birth, real physical address and current contact details, it’s very easy for a skilled social engineer to scam a target. This is part of the reason why governments have ensured that there are very tough laws to protect PII.
Losses due to recovery techniques
After an attack, an organization will have to do everything it can to salvage itself. The aftermath of a serious attack is not pretty, and lots of funds have to be used to clean up the mess created by the hackers. Some companies prefer to do a complete audit of their information systems to find out the exact causes or influential factors in the attack. Post-breach activities, such as IT audits, can unearth important information that can be used to prevent the same type of attack from being executed. Some companies prefer to pay for digital forensics experts to identify the cause of an attack as well as track the hackers or the data and money stolen. Digital forensics is sometimes even able to recover some of the lost assets or funds. For instance, Ubiquiti Networks was hacked in 2015 and $46,000,000 was stolen through social engineering. Using digital forensics, $8,000,000 was recovered in one of the overseas accounts that the hackers requested the money be sent to. Sometimes all the stolen money can be recovered, but in most instances, that’s not the case. The following is an article on the recovery of $8,100,000 by Ubiquiti Networks after an attack that stole $46,000,000:
“The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46,700,000 held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
“Ubiquiti says it has so far managed to recover $8,100,000 of the lost funds, and it expects to regain control of another $6,800,000. The rest? Uncertain.”
In short, the costs associated with a cyber attack are high and charges can even continue for several years after the actual attack happens. The current estimate of each attack being around $3,000,000 per victim organization is a mere statistic. Individual companies suffer huge losses. However, the costs associated with cybersecurity are not solely tied to the negative aftermath of an attack. Cybersecurity products are added, but necessary, expenditure for organizations. Analysts say that 75% of cyber attacks happen to people or organizations that don’t have any cybersecurity products.
If you’ve enjoyed reading this article, head over to the book Hands-On Cybersecurity for Finance to know more about the different types of threat actor groups and their motivations.
Defensive Strategies Industrial Organizations Can Use Against Cyber Attacks
Hydro cyber attack shuts down several metal extrusion plants
5 nation joint Activity Alert Report finds most threat actors use publicly available tools for cyber attacks