The Cost of Cyber Attacks to Businesses
With the advent of digitization in the business world, companies will undoubtedly be a victim of a cyber attack at some point in their lifespan. Often than not, loopholes and gaps in weak cyber security networks allow perpetrators to extract sensitive or proprietary data for various malicious endeavors. Furthermore, a cyber attack can have rippling effects leading to more, albeit delayed, consequences. A cyber attack can inhibit daily business operations, but can also trigger unnecessary monetary costs. Usually from disgruntled customers or fines incurred from violating information security regulations.
Why Do Cyber Attacks Occur?
A cyber attack happens when there is a compromise on the confidentiality, integrity and availability of data. It can manifest in many different ways not limited to DDoS (Distributed Denial of Service), phishing of private information, and the deployment of Malicious Software (Malware) such as viruses or trojans. On 11 April 2019––in a single day, there were 44,182,397 cyber attacks worldwide recorded on the Live Cyber Attack Threat Map which equates to 15,000 cyber attacks occurring in every blink of an eye!
Key International Cyber Attacks in 2018
With every passing year, cybercrime worsens. And expectedly, the year 2018 had seen some of the biggest cyber attacks. Under Armour Inc., one of the world’s top sportswear brands, faced a severe data breach that exposed the personal information (usernames, email addresses and passwords) of 150 million users. Similarly in the same year, Facebook was involved in a data breach that left at least 50 million users’ personal data at risk after attackers exploited a vulnerability. Shockingly, even though the vulnerability had been present as early as July 2017, Facebook only became aware of it in September 2018 when they realised a spike in unusual activity. Such attacks could have been avoided if vulnerability testing had been conducted on a frequent basis. And as if these cases weren’t enough, 2018 experienced one of the biggest security breaches ever recorded, second only to the 2013 Yahoo breach. The Starwood reservation system employed by Marriott International—the world’s largest hotel chain—was hacked, resulting in the theft of personal data of up to 500 million guests. As such, customers with reservations between 2014 to September 2018 with Starwood hotel brands owned by Marriott were affected. A huge frenzy ensued since these sensitive personal data can be easily abused to impersonate an individual’s identity.
No doubt, this casts a spotlight yet again on the importance of having reliable cyber security network to protect personal data.
Key APAC Cyber Attacks in 2018
Zooming in on Asia Pacific (APAC), the region is equally as vulnerable––or even more vulnerable––to cyber attacks on all scales considering that rapidly growing connectivity and digital transformation of APAC presents the ideal environment for cyber criminals to thrive. India, being the second most populated country, employs technology to streamline many services and store huge amounts of information in their database. However, the failure of organizations to protect their cyber network while concurrently increasing their digital network, has unfortunately led to the compromise of their databases. One such example is their national ID database Aadhaar, which was hit with a data leak that left 1 billion Indian citizens’ personal information exposed. This is extremely worrying as sensitive biometric data such as fingerprints and iris scans, on top of personal demographic information, can be exploited and sold through the black market.
Why Do SMEs Need to Worry?
For large businesses and governmental organizations to be so susceptible to cyber attacks, SMEs need to establish a tight cyber security network in order to stand a chance of survival as their weaker infrastructure and dependence on larger organizations engender them to be bigger targets. In fact, research shows that 70% of attacks that occur are targeted at SMEs. According to Garrett, in the US, there had been an overall sharp increase in cyber attacks through methods such as ransomware attacks, business email compromise (BCE) attacks and spear-phishing attacks in companies in 2018. Based on Hiscox, 47% of SMEs had experienced at least one cyber attack in a single year and of those, 44% experienced two to four attacks. Additionally, a 2017 report done by the Cyber Security Agency of Singaporean cyber threats in Singapore concluded that 40% of cyber attacks that occurred were targeted at SMEs. In 2017, there were 2,040 website defacements, 23,430 phishing URLs with Singapore-links, more than 400 malware variants detected, and 25 cases of Ransomware. The reports on cyber attacks in APAC illustrate that SMEs are not safe from malicious cyber attacks and there is a dire need for companies to strengthen their security network regardless of their size.
Business Risks and Costs of Cyber Attacks
A cyber attack not only compromises the security of a company’s cyber network, but also creates undesirable consequences on its business function.
Tangible impacts are the immediate and measurable outcomes such as monetary costs. Based on the U.S. Securities and Exchange Commission, the average cost of a data breach rose from $4.9 million in 2017 to $7.5 million in 2018. In Asia Pacific alone, a Microsoft and Frost & Sullivan estimated that the potential economic loss can hit US$1.745 trillion, which is more than 7% of the region’s total GDP of US$24.33 trillion. A simple comparison by Hiscox shows that the average cost of cyber security incidents in a year for SMEs costs a minimum of US$34,606 while that figure estimates at a minimum of US$1.05 million for large organizations. Apart from the tangible impacts, companies also suffer intangible costs—the less measurable effects—such as the loss of corporate reputation or consumers’ trust in a company. This is portrayed in the case of Facebook earlier where there was a loss of trust in users following the abuse of personal data. In fact, high-profile Facebook users instigated campaigns to encourage users to delete their accounts. Such business impacts are inevitable and can have a lasting effect on a company if the cyber issues are not resolved quickly.
As such, it is paramount that organizations adopt preventive measures and pay sufficient attention to their security posture. According to a 2017 report done by Ponemon Institute, not only do companies with stronger cyber security posture respond faster to a data breach, these companies also reportedly experience smaller degrees of business risks, as the average decline in their stock price is no more than 3% compared to a 5% immediate decline faced by companies with weaker cyber security posture. Apart from this, organizations should also note that such risks increase with company size. In Asia Pacific alone, a large-sized organization can possibly incur an economic loss of US$30 million, more than 300 times higher than the average economic loss for a mid-sized organization (US$96,000).
Moving on to the direct and indirect costs of cyber attack, the main difference in these 2 types of costs is the ease of identification per the cost objects. Direct costs include financial losses and data losses. Financial losses can happen in the form of loss in productivity, occurrence of fines and remediation costs. Experts revealed that there will be an estimate of US$3.4 million direct monetary loss from cyber attacks in the APAC region (Microsoft Asia News Center, 2018). Indirectly, there will be an estimate of $9.7 million loss in opportunity cost for the company when hit by an attack that threatens the trust in customers and also the reputation of the company. Induced costs include the overflowing impact of cyber breach to the broader cyber ecosystem and economy in APAC region, such as the decrease in consumer and enterprise spending, which could lead to an estimated loss of $17.2 million. With these costs in mind, you might think that companies will value cyber security and have a significant spending on this area. However, it is not always the case ATKearney revealed that the global benchmark of cyber security spending in medium to large enterprises as a percentage of GDP in 2017 is 0.13%. APAC countries such as Singapore (0.22%) and Japan (0.21%) hover around this number, but not countries such as Malaysia (0.08%) and Indonesia (0.02%). With this in mind, in order for ASEAN countries to secure a sustained commitment to cyber security, 0.35–0.61% of their GDP should be spent on cyber security between the years of 2017-2025.
Building a Well-fortified Cybersecurity System
The above mentioned costs and risks proved the importance for companies to achieve a well-fortified cybersecurity system. Let us go over some of these measures and the various costs they constitute.
The average cost of this security assessment is between $4,000–$100,000 and the recommended testing regularity is once to twice a year. One of the reasons for this big range in pricing is due to the experience of the professional. One big advantage of having highly skilled professionals conduct a pen test is how they have experiences to build upon their investigation, something a specialized software falls short of.
Another method includes conducting a security audit, which ranges from several thousands to $20,000. A security audit will not only help to evaluate the company’s cyber security system, it also ensures compliance to regulations.
One last measure we will list is risk assessment. Risk assessment is essential for a company as it helps to lay out ground rules to protect data and also customize a risk model specific to the company’s needs.
With a number of different options available, how then should a company decide which measures to take? Here are some key points to note when choosing the best kind of products or vulnerability assessment measures.
Predicting Global Trends
Firstly, it is imperative to study predictions in the markets surrounding cyber security issues. According to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, cyber attacks are the fastest growing global crime that are increasing in size, sophistication and cost. It has also been predicted that by 2021, cybercrime damages will cost $6 trillion per annum globally. To put this point into perspective, it will be critical to understand the possible threats the company might face and the severity of the damages that could result.
Another great way to ensure the company’s data is well protected is through awareness. It is vital to teach employees the importance of measures to safeguard data. This can be done through simple steps such as maintaining strong passwords and having multi-factor authentication for personal accounts.
Constant Continuity in Assessment
Last but not least, regular conduct of assessments and reviews help to identify potential gaps in the security network. This is even more important when the company undergoes an update of systems or technology. During this process, there could be an oversight in the security system that allows attackers to launch an attack.
Posted by QuanHeng Lim
Quanheng "Q" Lim is Director of CyberOps at Horangi.LinkedIn