Cybercrime is on the rise, the consequences of it take longer to fix, and more companies are losing more money because of it, according to the Ninth Annual Cost of Cybercrime Study recently published by Accenture and the Ponemon Institute. The 2019 study is rooted in comprehensive, wide-ranging interviews with 2,647 senior leaders from 355 companies across 11 countries and 16 industries.
Today’s cyberattacks are changing – from the companies they choose to victimize, to the techniques used to carry them out, to the types of harm they wreak. Last year, there were an average of 145 security breaches – ones that infiltrated the companies’ core networks or enterprise systems – in each of the firms in the survey. That’s 11 percent higher than the number of reported breaches in 2017, and fully 67 percent higher than five years ago.
Obviously, when the number of attacks goes up, so does the cost of dealing with them. On that front, the average cost has increased to $13 million, $1.4 million more than in 2018.
These costs ware based on how much the affected organizations spent to find, examine, contain and recover from a data breach over a continuous four-week period, in addition to costs incurred for subsequent work intended to prevent similar attacks. Efforts to deal with business disruptions and customer losses are also included in the cost estimate.
American firms saw the biggest cybercrime cost increases: they were 29 percent more than they were in 2018. The average per-company cost was US$27.4 million – twice the cost reported by firms in all the other countries covered in the survey.
Japan came next, at US$13.6 million, followed by Germany, at US$13.1 million. The UK (US$11.5 million) was in third place. The lowest total average costs per company were in Brazil and Australia, at US$7.2 million and US$6.8 million, respectively.
Attacks gaining further sophistication
The theft of data is the costliest and rapidly increasing result of cybercrime. But data isn’t the only thing in the bad guys’ crosshairs. According to the report, mission-critical operational systems such as industrial controls are other targets, for the sole purpose of throwing a wrench into – or even destroying – a company’s business. For instance, distributed denial of service (DDoS) attacks can knock off online services for hours and cause major damages when brining an organization’s business operations to a standstill.
While data is a top target, the bad guys don’t always want to steal it. There’s a new trend among cybercriminals to not simply copy data, but to monkey around with it so that it is either ruined or can no longer be trusted. Compromising the integrity of data seems to be the cybercrime du jour – if not now, then in coming months and years.
On top of that, cybercriminals are evolving their techniques. More than ever, they are taking aim at the weakest link in any corporate IT security system: humans. The fact is, if you want to do harm to a giant computer system, ransomware, phishing and social engineering may be your best bet. When someone’s guard is down, it’s easy to click on fake links and email attachments.
By now, these are old tricks. What’s new is the growing propensity of certain countries and their paid hackers to use these techniques to take down giant commercial companies. Some jurisdictions are starting to classify such attacks as "acts of war" in an attempt to thwart or limit cyber-security insurance settlements.
3 steps to resilience
As cybercrime becomes more widespread and sophisticated, organizations and companies are looking at a diverse threat landscape that includes ill-intentioned nation-states, back-door supply chain attacks, and threats to their data. Meanwhile, these firms are implementing newfangled, game-changing technologies before they know exactly how to secure them. For instance, automation, advanced analytics, orchestration and machine-learning technologies (to name a few) were put in place by only 28 percent of organizations — the lowest of the technologies surveyed. But they produced the second-highest cost savings for security technologies overall, at US$2.9 million.
“From people to data to technologies, every aspect of a business invites risk and too often security teams are not closely involved with securing new innovations,” said Kelly Bissell, Senior Managing Director of Accenture Security.
“This siloed approach is bad for business and can result in poor accountability across the organization, as well as a sense that security isn’t everyone’s responsibility.”
The Accenture/Ponemon study noted that better cyber-security measures can allow CIOs and other IT leaders to reduce cybercrime costs and cash in on new revenue opportunities. To this end, it presented three steps that enterprises can take to improve security and cut losses.
Since the report said that countering internal threats – such as phishing, ransomware attacks and malicious insiders – is still one of the biggest challenges, step one is to make it a priority to protect against people-centered attacks.
Another step is to budget for, and spend on, tools to put the brakes on information losses, business disruptions and system outages, which are the costliest results of cyber-attacks. This concern is highlighted by the rollouts of new privacy regulations such as the European Union's General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 (CCPA).
As well, organizations should do their best to take advantage of tools that can keep IT security costs down through automation and security intelligence, which are efficient ways to protect against attacks.