Cybercriminals are becoming increasingly more sophisticated in their attack methods and taking direct aim at finance departments, costing companies unprecedented amounts of money to combat the threats, Accenture Security’s 2019 The Cost of Cybercrime study reported.
The survey of more than 2,600 security professionals in 11 countries found that the average annual total cost of cybercrime per company jumped from $11.7 million in 2017 to a record high $13 million in 2018. The study calculated these costs by adding up four categories of internal activity: cybercrime discovery, investigation, containment, and recovery. Survey participants came from 355 companies of various sizes in a variety of industries. Based on their feedback, the study’s authors estimated the total value at risk from cybercrime in the next five years at $5.2 trillion.
The number of cyberattacks per organisation increased 11%, growing from 130 attacks per year in 2017 to 145 annual attacks in 2018, according to the study.
The study also found significant regional differences in the cost of cybercrime, with the US leading the way with an average annual cost of $27.4 million.
Study author Larry Ponemon, chairman and founder of the data protection and cybersecurity research centre Ponemon Institute, chalked up the increase in costs to a new breed of cybercriminal supported by nation-states and global criminal networks.
“The bad guys today are very well funded and have lots of friends in high places and in governments around the world,” he said in an interview. “We see a constant pattern that the bad guys are developing more sophisticated attack methods that allow them to be more stealthy, more clever, and more surgical, and they’re able to identify information assets that are of great value.”
Not only are the costs of cybercrime rising, the study found, but the targets and techniques of cybercriminals are evolving as well, with malware and ransomware the most common threats. Cybercrime targets are also changing, according to the report. While “information theft is the most expensive and fastest rising consequence of cybercrime … core systems, such as industrial control systems, are being hacked in a powerful move to disrupt and destroy”, according to the report.
Hackers are also intensifying their attacks on a key vulnerability — the human layer — with a 16% increase in phishing and social engineering attacks over the last year alone, and the study reports that “many employees are often the root cause of successful cyberattacks”.
“Most people see the hacker as the bad guy in a thriller movie, breaking in and causing havoc, but by far the number one greatest risk for an organisation is the insider problem,” said Ponemon. “Sometimes that’s a malicious insider, and sometimes it’s a good person doing stupid things.”
Cybercriminals are also now often working their way through multiple third- and fourth-party systems to reach the target company by focusing on cyber weaknesses in extended supply chains, according to the report.
While the report found that the “annual costs of all types of cyberattacks is increasing”, malware attacks were the most expensive for companies to handle, with an average price tag of $2.6 million per attack. However, “the cost of ransomware (21% increase) and malicious insiders (15% increase) attack types have grown the fastest over the last year,” according to the report.
The report recommends that companies invest in defending against denial-of-service attacks, malware, and malicious insiders to “reduce this cost”.
The cost of cybercrime isn’t reflected strictly in financial terms, Ponemon said. Business disruption and reputational damage, along with the distraction of preventive threat hunting, are cybercrime’s most significant impacts, he said.
Hacking attacks “have an impact not just on the bottom line directly but on the productivity of people because the workflow comes to a halt”, he said.
The report offers some advice for companies to effectively mitigate cyber risk, through a dynamic combination of targeted technology investment, training, and IT policies and procedures.
The study outlines the following three steps for reducing the cost of cybercrime and “unlocking cybersecurity value”:
- Prioritise protecting against people-based attacks. Companies should focus on creating a “security-first culture”, according to Accenture, and accountability is key.
- Invest to limit information loss and business disruption. Investing in data protection technologies, like blockchain and other cryptographic technology, can reduce the loss and cost of attacks.
- Target technologies that reduce rising costs. Technologies that make it easier and more efficient to discover, investigate, and recover from cybercrime will help reduce costs.
However, cybercrime and cybersecurity are engaged in an escalating battle. For every innovation that companies find to mitigate the risk, and reduce the costs of, cybercrime, criminals are finding new ways to infiltrate and cost companies money.
“The general consensus is that the cost of a data breach, the cost of a cyberattack, and the frequency and the severity of these attacks are expected to get worse,” said Ponemon. “It’s very hard in this world to be fully prepared to deal with these issues, but over time we’re going to get better.”
— Drew Adamek is an FM magazine senior editor. To comment on this article or to suggest an idea for another article, contact him at Andrew.Adamek@aicpa-cima.com.