The world is rightly obsessed with the COVID-19 pandemic right now, but there's also a growing cybercrime pandemic. The good news is that fewer firms are reporting breaches. The bad news is that for those who are victimized, the attacks are more severe — and more expensive.
According Hiscox, a Bermuda-based insurance provider, cyber losses rose nearly sixfold worldwide over the past 12 months. Its recently released "Cyber Readiness Report 2020" pins the total cyber losses among affected firms at $1.8 billion — up a sobering 50% from the previous year's total of $1.2 billion. Overall, more than 6% of the respondents in the report paid a ransom, and their collective losses totaled $381 million.
Interestingly enough, Hiscox says that companies are 15 times more likely to experience a cyberattack (30% in UK) than a fire or theft (2% in UK).
Who Was Most at Risk?
Not surprisingly, larger organizations were the most common targets — and shelled out the most money — for cybercriminals. The financial impact differed widely across countries, verticals, and firm sizes. According to Hiscox, the energy, manufacturing, and financial services sectors are especially at risk. This is the result of low maturity in cyber resilience and low tolerance to what is often a high-impact outage.
Irish and German companies reported the biggest median losses, but the pain was widely shared. Among the attacked organizations, the median losses for energy firms increased over 30-fold, while a number of other sectors faced losses many times greater than the previous year. The biggest recorded loss for a single organization was $87.9 million (for a UK financial services firm), and the greatest loss stemming from a single attack was $15.8 million (for a UK professional services firm).
Cybercriminals demanded ransoms from roughly 17% of the companies they attacked, and caused dire financial consequences for the targets. The highest loss from ransom was more than $50 million for one unfortunate organization.
According to the Hiscox report, malware, ransomware, business email compromise, and distributed denial-of-service (DDoS) are still the most commonly used attack vectors. Besides malicious encryption imposed through ransomware, other extortion campaigns include DDoS attacks that causes the victim's IT infrastructure to crash over and over due to a constant flood of bogus IP traffic. Recently, the stock exchange in New Zealand weathered a barrage of DDoS attacks that disrupted business operations and trading for four consecutive days. CNBC reported that the exchange's websites and markets announcement platform were also affected.
Large Number of "Don't Knows"
According to Hiscox, this year the share of firms that revealed they'd suffered a cybersecurity incident in the last year shrank from 61% to 39%. At least that's positive. The flip side is that the financial blowback has been far greater than before. Larger companies were more likely to be targeted than smaller ones. Just over half (51%) of all enterprise-level firms — those with 1,000-plus employees — reported at least one cyber incident, and the most cyber incidents by far (median: 100) and breaches (80). The most heavily targeted sectors were financial services; manufacturing; and technology, media, and telecoms (TMT) — with 44% of firms in each sector reporting at least one incident or breach.
Of particular concern is that 11% of the respondents said they weren't sure how many times they were targeted. (That's 4% more than the previous year.) Even more worrisome is that the greatest share of "I don't knows" (15%) came from enterprise firms.
Surge in Spending
The report revealed that a large and broad increase in cybersecurity spending has occurred over the past year. The average spending among the respondents was $2.1 million, up from $1.5 million the previous year. (Roughly 75% of the respondents provided figures for their cybersecurity spending.) Assuming the numbers are an accurate reflection of what's going on more broadly, the total cybersecurity spending in the past year was a staggering $11.4 billion. That compares with $7.9 billion a year ago for a sample of companies that was 3% smaller. Nearly three-quarters of firms (72%) intend to boost cybersecurity spending by 5% or more in the next year — that's up from two-thirds (67%) from the 2019 number.
As one might expect, the companies that dedicated double-digit percentages of their IT budget were less likely to have suffered a breach than those that spent less than 5%. But those big spenders, typically larger firms, had higher average costs stemming from breaches. Greater size means more customers, higher notification expenses, and bigger ransoms.
Preparation Pays Off
A notably higher percentage of this year's respondents reported that they had a harder time attracting new customers (15% of firms were targeted, up from 5% last year) after a cyber incident. They also lost more customers (11%, compared with 5% in 2019) and/or business partners (12% compared with 4%).
When asked about the adverse effects of a breach, 14% of the respondents mentioned bad publicity that tarnishes the brand or the company's reputation. Only 5% said the same thing in 2019. Thirteen percent said business performance indicators — such as their share price — were affected, up from 5% last year.
In terms of cyber readiness, size matters. Hiscox reports that large companies have more resources and can spend an order of magnitude more on warding off online evildoers than their smaller counterparts. No surprise there. Among the smaller firms that were ready to face off with the cybercriminals, 16% were digitally savvy TMT companies. Retail and wholesale and construction were also well prepared (11% and 10%, respectively). The Hiscox report concludes that most of the best-protected organizations achieved their preparedness by "taking cyber security seriously."