The cost of cyber crime to business
Some countries are seeing alarmingly high increase numbers, the US, Germany and China leading the cost of the cybercrime list. According to the South African Banking Risk Information Centre (SABRIC), South Africa has seen an increase of over 100% in mobile banking application fraud alone.
I would like to explore what we see from a breach research perspective.
According to the Australian Government Initiative, Stay Safe Online, 50% of attacks could be blamed to web-based and insider attacks. This coincides with the IBM annual X-Force Threat Intelligence Index 2018, the company concluded that “inadvertent insiders” accounted for two-thirds of all the records that were comprised.
Our workforce is also one of the largest contributors to damages suffered during attacks as the loss of productivity is mostly understated. According to the Cisco CISO Benchmark Report, user awareness is a critical focus for CISO’s globally.
Ransomware
Cybersecurity Ventures predicts that a ransomware attack takes place every 14 seconds and this is estimated to increase to 11 seconds in the next two years.
Who is the largest target sector I am asked a lot? According to three different reports, I could find in my research the small business sector is the main target.
According to the Australian government, 60% of targeted attacks struck small and medium businesses. On average across all the research, more than 50% of attack is focused on smaller businesses.
If we look at other sectors and larger enterprise businesses it is clear the financial sector is mostly affected. According to the Ponamon report published by Accenture, the financial sector suffers the greatest losses per breach in term of costs.
Cost per breach
If we look at the actual cost per breach, the jury is out, based on my research. I do however think the industry is at a place where we can roughly quantify what these breaches are costing organisations.
If we look at the figures reported by SABRIC the South African Financial sector places that cost of a breach at $1,2 million per breach. The Australian Government reports that according to reported cyber-crime research an attack costs in access of $270,000.
Germany is said to be in the top three in terms of what cybercrime is costing the country as a whole, reporting $50 billion in losses.
These numbers seemed thought-provoking, however, I like to break things down into something I can understand, so here goes my possibly simplistic view on the matter of cost.
Based on all the reports I read in researching this topic, one of the most prevalent attack vector is web-based attacks and all the reports and research teams make a noble attempt to quantify some of these breached in a statistically relevant way.
Web-based attacks
If we look at web-based attack it is reported that the cost per breach varies between $53,000 up to $114,000. If we apply a very simplistic average it is $83,000. If you take into consideration that 60% of attacks are focused on the small business sector - this figure is alarming. The question beckons if a small or medium business can survive an attack at that cost.
Risk of regulatory fines
If we discuss the cost of attacks, it will be irresponsible not to mention the added risk of regulatory fines. Even though all of the reports mention how the cost per attack is calculated mentioning business interruption, information loss, revenue loss and equipment damage among other factors. Most attacks target data and if the company is found to not have done what is reasonably expected to protect their data these attacks could be subject to fines by the Data privacy regulators.
If we take this one step further like in the case of Equifax the cost of a breach can also increase due to civil procedure or corrective actions required to assist affected data subjects.
If I were to quantify the risk I would have to mention the record British Airways fine of $230 million. British Airways was fined by the UK’s data protection authority, ICO in 2019 for a breach that harvested personal and payment data. We want to see how this cost of a breach can escalate we take the example of Equifax.
Circling back to Equifax they were fined only £500,000 [$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act.
This however now stands at over $700 million if you add the settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 US states that claimed damages against Equifax.
I think I want to leave it at that for now. The cost of a breach is increasing as you read this and the likelihood of breaches is following suit. We elevate focus as the world takes data privacy more serious and we are seeing some large fines by Data Privacy Regulators globally.
The rhetoric question then is, does this cost risk warrant only 4-9% of IT budget?