In 2019 it is reported that cybercrime breaches are up 11% year on year and has increased with over 67% in the last five years according to a study done by Accenture in their Ninth Annual Cost of Cybercrime Global Study.
Corien Vermaak, cybersecurity specialist at Cisco
Some countries are seeing alarmingly high increase numbers, the US, Germany and China leading the cost of the cybercrime list. According to the South African Banking Risk Information Centre (SABRIC), South Africa has seen an increase of over 100% in mobile banking application fraud alone.
I would like to explore what we see from a breach research perspective.
According to the Australian Government Initiative, Stay Safe Online, 50% of attacks could be blamed to web-based and insider attacks. This coincides with the IBM annual X-Force Threat Intelligence Index 2018, the company concluded that “inadvertent insiders” accounted for two-thirds of all the records that were comprised.
Our workforce is also one of the largest contributors to damages suffered during attacks as the loss of productivity is mostly understated. According to the Cisco CISO Benchmark Report, user awareness is a critical focus for CISO’s globally.
A ransomware attack takes place every 14 seconds and this is estimated to increase to 11 seconds in the next two years.
Who is the largest target sector I am asked a lot? According to three different reports, I could find in my research the small business sector is the main target.
According to the Australian government, 60% of targeted attacks struck small and medium businesses. On average across all the research, more than 50% of attack are focused on smaller businesses.
If we look at other sectors and larger enterprise businesses it is clear the financial sector is mostly affected. According to the Ponamon report published by Accenture, the financial sector suffers the greatest losses per breach in term of costs.
Cost per breach
If we look at the actual cost per breach, the jury is out, based on my research. I do however think the industry is at a place where we can roughly quantify what these breaches are costing organisations.
If we look at the figures reported by SABRIC the South African Financial sector places that cost of a breach at $1,2 million per breach. The Australian Government reports that according to reported cyber-crime research an attack costs in access of $270,000.
Germany is said to be in the top three in terms of what cybercrime is costing the country as a whole, reporting $50 billion in losses.
These numbers seemed thought-provoking, however, I like to break things down into something I can understand, so here goes my possibly simplistic view on the matter of cost.
Based on all the reports I read in researching this topic, one of the most prevalent attack vector is web-based attacks and all the reports and research teams make a noble attempt to quantify some of these breached in a statistically relevant way.
If we look at web-based attack it is reported that the cost per breach varies between $53,000 up to $114,000. If we apply a very simplistic average it is $83,000. If you take into consideration that 60% of attacks are focused on the small business sector - this figure is alarming. The question beckons if a small or medium business can survive an attack at that cost.
Risk of regulatory fines
If we discuss the cost of attacks, it will be irresponsible not to mention the added risk of regulatory fines. Even though all of the reports mention how the cost per attack is calculated mentioning business interruption, information loss, revenue loss and equipment damage among other factors. Most attacks target data and if the company is found to not have done what is reasonably expected to protect their data these attacks could be subject to fines by the Data privacy regulators.
If we take this one step further like in the case of Equifax the cost of a breach can also increase due to civil procedure or corrective actions required to assist affected data subjects. If I were to quantify the risk I would have to mention the record British Airways fine of $230 million. British Airways was fined by the UK’s data protection authority, ICO in 2019 for a breach that harvested personal and payment data. We want to see how this cost of a breach can escalate we take the example of Equifax.
Circling back to Equifax they were fined only £500,000 [$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act.
This however now stands at over $700 million if you add the settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 US states that claimed damages against Equifax.
I think I want to leave it at that for now. The cost of a breach is increasing as you read this and the likelihood of breaches is following suit. We elevate focus as the world takes data privacy more serious and we are seeing some large fines by Data Privacy Regulators globally.
The rhetoric question then is, does this cost risk warrant only 4-9% of IT budget?
LEGAL DISCLAIMER: This Message Board accepts no liability of legal consequences that arise from the Message Boards (e.g. defamation, slander, or other such crimes). All posted messages are the sole property of their respective authors. The maintainer does retain the right to remove any message posts for whatever reasons. People that post messages to this forum are not to libel/slander nor in any other way depict a company, entity, individual(s), or service in a false light; should they do so, the legal consequences are theirs alone. Bizcommunity.com will disclose authors' IP addresses to authorities if compelled to do so by a court of law.