Cybercrime is increasingly affecting global businesses, a new report finds. Total costs to businesses have soared to around $280 billion, with damage to reputation, management time and customer loss / churn the primary impacts of cyber attacks. Extortion too is on the rise, with 95% of companies still falling prey to poor training and practices of staff.
The impact of cybercrime is becoming increasingly prominent to businesses and people across the globe. The Sony hack was paraded through the global news media, while the hack of Yahoo saw more than 500 million peoples' details find their way into the hands of hackers. The scale, and potential fallout, from attacks, remains large. In a new report from Grant Thornton, which involved a survey of 2,500 business in 36 economies worldwide, the firm explores the damages done to companies as well as kinds of attacks currently impacting businesses.
The persistent threat of cybercrime continues to rise – the consultancy firm estimates that the global total cost of cyber-attacks on businesses stood at $280 billion in 2016, while the number of affected businesses increased 6% on last year to 21% of the sample (the number is likely higher as many businesses may not know that they have been penetrated or are not disclosing the facts).
‘Loss of reputation’ was the primary cited impact of a cyber-attack by 29% of respondents.’ Management time’ takes the second spot, cited by 26% of respondents, while 16.4% of respondents say that it results in ‘customer loss or churn’. Clean-up costs are cited by 12% as the primary impact, while ‘direct loss of turnover’ takes the number five spot. A loss of ‘competitiveness’ and ‘changing behaviour change’ are the least cited, at 3.6% and 3.1% respectively.
Cyber insurance, touted to be one of the fastest growing crisis insurance segments, remains relatively underutilized, 52% do not have such insurance, 35% do, while 13% are not aware of possible coverage. The industry itself remains in its nascent stages, with vendors still devising the best way to protect companies, particularly large companies.
Different regions have considerably different profiles, in terms of the most common cyber-attacks to affect the region. Africa, for instance, predominantly incurs ‘monetary theft’, at around 31% of attacks, the APAC region commonly contends with 'IP theft’, as cited by 30.2%. Eastern Europe and Western Europe predominantly suffer ‘damage to infrastructure’, at 41.5% and 31.4% respectively. Latin America tends to incur attacks on ‘critical business information’.
The infiltration, according to analysis by the firm – as well as wider industry analysis – tends to stem from bad habits from key employees, all the way up to the top of businesses. These habits, which may stem from improper training, to disengaged staff, are implicated in up to 95% of attacks.
FBI director James Comey, remarks, “The internet is like the most dangerous parking lot imaginable. If you were crossing it late at night, your entire sense of danger would be heightened. You'd know where you were going. You'd walk quickly. You would look for light. But folks are wandering around that proverbial parking lot all day long, without giving a thought to whose attachments they're opening, what sites they're visiting. And that makes it easy for the bad guys.”
The research also considered the increased incidence of extortion as a means of garnering value from attacked companies. Extortion can take a number of different forms, from ransomware and denial of service attacks to the divulging of details, whether personal or professional. Blackmail, remains a relatively insidious crime, in so far as those affected tend to not wish to disclose that they have been affected.
The problem persists across all regions, although Asia, Latin America and APAC are the most heavily affected, at 35.1% 28.1% and 24.9% respectively. The Financial Services industry is the most heavily affected, with 45.8% of affected companies reporting extortion as the attack method, followed by Healthcare, at 23.7%, and Energy, at 23.3%.
Paul Jacobs, Global leader – cyber security at Grant Thornton, comments, “Whatever form cyber-attacks come in though, for businesses today it’s a question of when rather than if. Building cyber resilience must therefore be a company-wide priority. Yes, strengthening defences to prevent attacks occurring is vital. But it doesn’t end with pulling up the drawbridge. Firms which overlook being mobilised and ready to respond to attacks after they have occurred do so at their peril. That preparedness needs to be multifaceted, too. Simply guarding against one form of attack won’t cut it.”