Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/16/2020
10:00 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybercrime Losses Up 50%, Exceeding $1.8B

Fewer companies are being hit by cyber incidents, but those that do get hit are hit harder and more often.

The world is rightly obsessed with the COVID-19 pandemic right now, but there's also a growing cybercrime pandemic. The good news is that fewer firms are reporting breaches. The bad news is that for those who are victimized, the attacks are more severe — and more expensive.

According Hiscox, a Bermuda-based insurance provider, cyber losses rose nearly sixfold worldwide over the past 12 months. Its recently released "Cyber Readiness Report 2020" pins the total cyber losses among affected firms at $1.8 billion — up a sobering 50% from the previous year's total of $1.2 billion. Overall, more than 6% of the respondents in the report paid a ransom, and their collective losses totaled $381 million.

Interestingly enough, Hiscox says that companies are 15 times more likely to experience a cyberattack (30% in UK) than a fire or theft (2% in UK).

Related Content:

Attacker Dwell Time: Ransomware's Most Important Metric

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

Who Was Most at Risk?
Not surprisingly, larger organizations were the most common targets — and shelled out the most money —  for cybercriminals. The financial impact differed widely across countries, verticals, and firm sizes. According to Hiscox, the energy, manufacturing, and financial services sectors are especially at risk. This is the result of low maturity in cyber resilience and low tolerance to what is often a high-impact outage.

Irish and German companies reported the biggest median losses, but the pain was widely shared. Among the attacked organizations, the median losses for energy firms increased over 30-fold, while a number of other sectors faced losses many times greater than the previous year. The biggest recorded loss for a single organization was $87.9 million (for a UK financial services firm), and the greatest loss stemming from a single attack was $15.8 million (for a UK professional services firm).

Cybercriminals demanded ransoms from roughly 17% of the companies they attacked, and caused dire financial consequences for the targets. The highest loss from ransom was more than $50 million for one unfortunate organization.

According to the Hiscox report, malware, ransomware, business email compromise, and distributed denial-of-service (DDoS) are still the most commonly used attack vectors. Besides malicious encryption imposed through ransomware, other extortion campaigns include DDoS attacks that causes the victim's IT infrastructure to crash over and over due to a constant flood of bogus IP traffic. Recently, the stock exchange in New Zealand weathered a barrage of DDoS attacks that disrupted business operations and trading for four consecutive days. CNBC reported that the exchange's websites and markets announcement platform were also affected.

Large Number of "Don't Knows"
According to Hiscox, this year the share of firms that revealed they'd suffered a cybersecurity incident in the last year shrank from 61% to 39%. At least that's positive. The flip side is that the financial blowback has been far greater than before. Larger companies were more likely to be targeted than smaller ones. Just over half (51%) of all enterprise-level firms — those with 1,000-plus employees — reported at least one cyber incident, and the most cyber incidents by far (median: 100) and breaches (80). The most heavily targeted sectors were financial services; manufacturing; and technology, media, and telecoms (TMT) — with 44% of firms in each sector reporting at least one incident or breach.

Of particular concern is that 11% of the respondents said they weren't sure how many times they were targeted. (That's 4% more than the previous year.) Even more worrisome is that the greatest share of "I don't knows" (15%) came from enterprise firms.

Surge in Spending
The report revealed that a large and broad increase in cybersecurity spending has occurred over the past year. The average spending among the respondents was $2.1 million, up from $1.5 million the previous year. (Roughly 75% of the respondents provided figures for their cybersecurity spending.) Assuming the numbers are an accurate reflection of what's going on more broadly, the total cybersecurity spending in the past year was a staggering $11.4 billion. That compares with $7.9 billion a year ago for a sample of companies that was 3% smaller. Nearly three-quarters of firms (72%) intend to boost cybersecurity spending by 5% or more in the next year — that's up from two-thirds (67%) from the 2019 number.

As one might expect, the companies that dedicated double-digit percentages of their IT budget were less likely to have suffered a breach than those that spent less than 5%. But those big spenders, typically larger firms, had higher average costs stemming from breaches. Greater size means more customers, higher notification expenses, and bigger ransoms.

Preparation Pays Off
A notably higher percentage of this year's respondents reported that they had a harder time attracting new customers (15% of firms were targeted, up from 5% last year) after a cyber incident. They also lost more customers (11%, compared with 5% in 2019) and/or business partners (12% compared with 4%).

When asked about the adverse effects of a breach, 14% of the respondents mentioned bad publicity that tarnishes the brand or the company's reputation. Only 5% said the same thing in 2019. Thirteen percent said business performance indicators — such as their share price — were affected, up from 5% last year.

In terms of cyber readiness, size matters. Hiscox reports that large companies have more resources and can spend an order of magnitude more on warding off online evildoers than their smaller counterparts. No surprise there. Among the smaller firms that were ready to face off with the cybercriminals, 16% were digitally savvy TMT companies. Retail and wholesale and construction were also well prepared (11% and 10%, respectively). The Hiscox report concludes that most of the best-protected organizations achieved their preparedness by "taking cyber security seriously."

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.