By Corien Vermaak – Cyber Security Specialist, Cisco
In 2019 it is reported that cyber-crime breaches are up 11% year on year and has increased with over 67% in the last five years according to a study done by Accenture in their Ninth Annual Cost of Cybercrime Global Study. Some countries are seeing alarmingly high increase numbers, the US, Germany and China leading the cost of cyber-crime list. According to the South African Banking Risk Information Centre (SABRIC), South Africa has seen an increase of over 100% in Mobile banking application fraud alone.
I would like to explore what we see from a breach research perspective. According to the Australian Government Initiative Stay safe online, 50% of attacks could be blamed to web-based and insider attacks. This coincides with the IBM annual X-Force Threat Intelligence Index 2018, the company concluded that “inadvertent insiders” accounted for two-thirds of all the records that were comprised. Our workforce is also one of the largest contributors to damages suffered during attacks as the loss of productivity is mostly understated. According to the Cisco CISO Benchmark Report, user awareness is a critical focus for CISO’s globally.
A Ransomware attack takes place every 14 seconds and this is estimated to increase to 11 seconds in the next two years. Who is the largest target sector I am asked a lot? According to three different reports, I could find in my research the small business sector is the main target. According to the Australian government, 60% of targeted attacks struck small and medium businesses. On average across all the research, more than 50% of attack are focused on smaller businesses. If we look at other sectors and larger enterprise businesses it is clear the financial sector is mostly affected. According to the Ponamon report published by Accenture, the Financial sector suffers the greatest losses per breach in term of costs.
If we look at the actual cost per breach, the jury is out based on my research. I do however think the industry is at a place where we can roughly quantify what these breaches are costing organisations. If we look at the figures reported by SABRIC the South African Financial sector places that cost of a breach at 1,2 million USD per breach. The Australian Government reports that according to reported cyber-crime research an attack costs in access of 270 thousand USD. Germany is said to be in the top three in terms of what cyber-crime is costing the country as a whole, reporting 50 billion USD in losses. These numbers seemed thought-provoking however I like to break things down into something I can understand, so here goes my possibly simplistic view on the matter of cost. Based on all the reports I read in researching this topic one of the most prevalent attack vector is Web-based attacks and all the reports and research teams make a noble attempt to quantify some of these breached in a statistically relevant way.
If we look at web-based attack it is reported that the cost per breach varies between 53 thousand USD up to 114 thousand USD if we apply a very simplistic average it is 83 thousand USD. If you take into consideration that 60% of attacks are focused on the small business sector – this figure is alarming. The question beckons if a small or medium business can survive an attack at that cost.
If we discuss the cost of attacks it will be irresponsible not to mention the added risk of regulatory fines. Even though all of the reports mention how the cost per attack is calculated mentioning business interruption, information loss, revenue loss and equipment damage among other factors. Most attacks target data and if the company is found to not have done what is reasonably expected to protect their data these attacks could be subject to fines by the Data privacy regulators. If we take this one step further like in the case of Equifax the cost of a breach can also increase due to civil procedure or corrective actions required to assist affected data subjects. If I were to quantify the risk I would have to mention the record British Airways fine of 230 million USD. British Airways was fined by the UK’s data protection authority, ICO in 2019 for a breach that harvested personal and payment data. We want to see how this cost of a breach can escalate we take the example of Equifax. Circling back to Equifax they were fined only £500,000 [$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act. This however now stands at over 700 million USD if you add the settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states that claimed damages against Equifax.
I think I want to leave it at that for now. The cost of a breach is increasing as you read this and the likelihood of breaches is following suit. We elevate focus as the world takes data privacy more serious and we are seeing some large fines by Data Privacy Regulators globally.
The rhetoric question then is, does this cost risk warrant only 4-9% of IT budget?