The Real Cost of Cyber Attacks for Businesses

A cyber-attack is an attempt to gain unauthorized access to a computer system with the intention to disrupt, damage, or destroy the computer network or digital information. A cyber-attack can come in many different forms and is performed by a wide range of people with varying levels of sophistication and malicious intent.

In this blog, we will explain the different forms an attack can take and the driving factors for the individuals/groups attempting the attacks. We will also explore the impact a cyber-attack can have on an organisation, and explain what preventative measures you can take to stop/mitigate an attack.

Threat actors and forms of cyber Attacks

What type of person would want to carry out a cyber-attack? Why would someone want to carry out such an attack? How does a threat actor execute an attack?

An attack can be carried out by a wide range of actors, ranging from individual, lone actors to state sponsored hacker groups, all with different intentions.

An individual/hobbyist hacker could carry out attacks to prove an ideological point or to expose and discredit an organisation’s activities. It could even be a disgruntled employee, upset that they didn’t get a promotion they felt they deserved. Your organisation may even be subject to attacks from ‘internet trolls’ who have no interest in monetary gain and are simply carrying out attacks for ‘fun’. Typically, individuals attempting a cyber-attack are the least sophisticated and use pre-existing scripts or tools to launch cyber-attacks, without an in-depth understanding of the underlying technology. These types of hackers are referred to as ‘script kiddies’. There are also ‘hacktivists’, which are groups of people who have banded together and use cyber-attacks as a means of making a political or social statement and may target government agencies, corporations, or other organisations.

Moving up the list, to a more sophisticated threat actor, we have cyber criminals.

These actors will usually carry out financially motivated attacks against an organisation and will utilise phishing campaigns or social engineering attacks to achieve their goals.

At the top of the list, and the most sophisticated, we have state sponsored groups or APTs (Advanced Persistent Threats). These threat actors are sponsored or backed by a nation-state, they are highly sophisticated and carry out targeted cyber-attacks. An APT will mainly focus on espionage, sabotage, or cyber warfare. Some notable APTs are:

1. Lazarus Group – They are believed to be sponsored by the North Korean government. This group was responsible for the Sony Picture hack in 2014 and is expected to be behind the WannaCry ransomware attack in 2017
2. Stone Panda/Red Apollo – This group is believed to be sponsored by the Chinese government. It is known to attack sectors such as aerospace, defence, and high-tech manufacturing.
3. Turla – Believed to be sponsored by the Russian government and is known to target government and military organisations.

So, we’ve briefly touched on why threat actors may conduct a cyber-attack, but how do they do it? What form do they take?

A cyber-attack can come in many forms, a threat actor has a wide range of options to choose from when conducting an attack. Examples include:

1. Ransomware – This is a type of malware that encrypts the victims’ files. The threat actor will hold the encrypted files as ransom, only restoring access once the ransom payment has been made.
2. Distributed denial-of-service (DDoS) – This type of attack involves utilising multiple compromised machines to flood a website or other online service with traffic in an attempt to make it unavailable.
3. Phishing – This is a type of social engineering attack. The attackers will use emails, or other forms of communication, to try and trick victims into giving out sensitive information, such as login credentials or financial information.
4. Social Engineering – This attack vector has some crossover with over attack vectors, mainly phishing, as it often involves tricking people into breaking normal security procedures (The main way that threat actors will try and persuade the victim is via a phishing email i.e. impersonating an employee’s superior and asking them to break standard security practices, “I’m locked out of my account, send me your log in details so I can…etc.”

This is just a small list of examples from the many different types of attacks. The threat landscape is consistently changing, and new threats are emerging all the time

A threat actor will consider several factors (depending on their sophistication) before deciding on an attack vector, including;

1. Vulnerabilities – Does the target system or network have any known vulnerabilities that can be exploited
2. Difficulties – What are the chances of being detected? What are the required time and resources to carry out the attack?
3. Impact – The attacker will consider the potential impact of the attack on the target, such as the financial cost, the reputational damage, or the disruption of business operations.
4. Access – What level of access will the attacker gain through the chosen attack vector? Will they have access to the required resources to achieve their goal?
5. Legal consequences: The attacker will consider the legal consequences of the attack vector, and how much they are willing to risk achieving their goal.

These are a few of the many factors a threat actor may consider when choosing an attack vector. The decision-making process of an attacker and what factors are important to them may change with the ever-changing threat landscape.

The Cost of a cyber attack

Monetary loss

Businesses across the UK face a wide range of issues, from economic uncertainty to adhering to complex and constantly evolving regulations. There are various challenges that can impact the financial stability of businesses and cyber-attacks are a significantly growing factor. According to a Detica report, in partnership with the office of cyber security and information. The estimated economic cost of cybercrime to UK businesses is £21bn per annum. An eye wateringly large amount of money. The financial impact of these attacks is felt by businesses through various channels. Including intellectual property (IP) theft, which costs an estimated £9.2bn per year. Industrial espionage is another major financial burden for businesses, with an estimated £7.6bn in annual losses. Extortion also contributes to the overall cost of cyber-attacks, with an estimated £2.2bn in annual losses. Cyber-attacks can also lead to direct theft and data breaches resulting in the loss of customer information, leading to additional financial losses of £1.3bn and £1bn annually. These figures highlight the threat that cyber-attacks pose to businesses and stress the importance of robust cyber security measures to protect against these threats. These statistics demonstrate the substantial impact that cyber-attacks have on businesses and the need for strong cyber security measures to counteract these threats

Reputational damage

As we can see, the monetary loss businesses may face following a cyber-attack is monumental, however, a cyber-attack can cause massive damage to a company’s reputation. The trust that a business has built can be severely impacted by a cyber-attack. This can lead to reputational damage that can have long-term, and possibly permanent effects on a company’s reputation. A prime example of this is when customers lose confidence in a company’s capacity to safeguard their personal information, following a data breach, which may lead them to seek out other options for their business. Real-world examples of the damaging effects of cyber-attacks can be seen in the case of Yahoo, which suffered a data breach in 2013 and 2014. This attack impacted the personal information of all three billion of the company’s users. Reputational harm can not only affect a company’s relationship with its customers, but also its partnerships, vendors, and investors. A more recent real world example Is the 2020 data breach experienced by the hotel chain the Marriott, where the personal data of up to 5.2 million guests were exposed leading to a decline in stock price and multiple lawsuits.

Loss of operations

Another consequence faced by businesses after a cyber-attack is the disruption of their operations, a consequence of this is a loss in productivity, loss in revenue, and increased cost. Systems that are critical to a business’s operation may be compromised and become unavailable.  A ransomware attack can cause a significant disruption in business operations by preventing employees from accessing their critical files and meeting deadlines, leading to an inability to continue with normal business activities. A real-world example of this can be seen in the 2017 WannaCry ransomware attack.  The attack impacted a vast number of computers across 150 nations and resulted in major interruptions to various critical sectors such as healthcare and transportation. A more recent example would be the 2021 Colonial Pipeline attack, where a ransomware attack caused the largest refined oil pipeline in the United States to shut down, causing widespread fuel shortages.

Financial penalties

A business that fails to comply with data protection regulations may incur financial penalties from relevant regulatory bodies. The amount of the fine and the authority that issues it varies based on the location of the business. For instance, in the UK, businesses must answer to the Information Commissioner’s Office (ICO) for data protection breaches. Along with fines, organisations may also have to bear the cost of incident response and investigations, as well as compensation for affected customers, vendors, and partners. A real-world example is the 2018 data breach experienced by British Airways which was fined £183 million by the ICO for not protecting its customers’ personal and financial data.

Data leaks

This has a lot of crossover with the other sections i.e if an organisation is a victim of a cyber attack which resulted in a data leak, they can be subject to many negative consequences, like; a loss of trust from its customer base or partners, they may also face serious fines if they failed to adhere to strict data protection regulations, all while still having to deal with the monetary loss surrounded with a cyber-attack. A cyber-attack can have a cascading impact on a business, resulting in multiple costs and challenges. Let’s imagine a scenario to showcase the various costs that a business may incur following a cyber-attack.

ByteBuilders is a technology company that has been subject to a cyber attack leading to a data breach. Once the breach has been detected, the business then must launch an investigation to determine the extent of the damage and to prevent any further breaches from happening. During this time, the business may face several costs, such as hiring a cyber security team to carry out the investigation and implement additional security measures. They may also incur costs from informing impacted customers, partners, and investors, which can erode trust and potentially drive business to competitors, potentially altering the market hierarchy. ByteBuilders also failed to adhere to data protection regulations and as a result, must now bear the cost of compensating any claimants and paying fines imposed by the relevant regulatory bodies.

As you can see, a minor issue can quickly escalate into a serious and potentially devastating situation for a business.

Cost of bringing in an expert

The cost of rectifying the damage caused by a cyber-attack will vary depending on several factors, including the size and complexity of the affected organisation and the type and scope of the attack. The following can influence the cost:

1. Scale of attack – An attack that only affects a single department within a company would generally be expected to have a lower cost of remediation compared to an attack that has impacted the entire organisation.
2. Impact of attack – The cost of remediation for a cyber-attack that has caused extensive business interruption or harm to reputation, may be higher than the cost of fixing an attack that caused minimal damage
3. Type of attack – The cost of remediation for cyber-attacks can vary depending on the type of attack. For instance, rectifying the damage caused by a phishing attack may be more cost-effective compared to addressing a complex ransomware attack.
4. Type of industry – UK healthcare organisations must abide by the General Data Protection Regulation (GDPR) which could raise the cost of fixing any damages resulting from a cyber-attack.

Typically, the cost of remediation following a cyber-attack can vary greatly. With the above-mentioned factors playing a part. It’s worth noting that, the remediation costs incurred by a business does not solely come from hiring a third party expert, but also from the potential fines and legal fees.

The statistics

Cyber-attacks are becoming an increasingly common concern for businesses of all sizes and across all industries. The rapid evolution of technology and the development of new attack methods make organisations susceptible to security threats. To better understand the magnitude of cyber-attacks and highlight the significance of implementing protective measures to mitigate the risk of falling victim to a cyber-attack. Let’s examine the statistics related to this type of crime.

How often do attacks occur?

Cyber attacks are a threat that businesses should be consistently aware of. According to a 2022 Cyber Security Breaches survey, “31% of businesses and 26% of charities estimate they were attacked at least once a week”. According to the 4th annual report “State of Cybersecurity Report 2021” by Accenture, the frequency of cyber-attacks has increased by 31% from 2020 to an average of 270 attacks per company over the course of a year. The frequency of these attacks highlights the importance of businesses having robust security measures in place, as well as being able to detect and respond to threats quickly and effectively.

Average time to detect a cyber attack

The average time to detect a cyber attack can fluctuate depending on factors such as the size of the organisation, the nature and magnitude of the attack, and the organisation’s level of readiness and response capability. According to IBM’s “Cost of a Data Breach Report 2022,” on average it took 207 days to detect a breach in 2022. That would mean, if a breach occurred on 1^st January the organisation wouldn’t even know about it until 29^th July that same year. It’s worth noting that different reports have varying findings on the time taken to detect a cyber attack. According to Mandiant’s “M-Trends 2022” report, the global median time for an attacker to be present in a victim environment before detection is three weeks. It should be noted that the report uses the median, which is a value at the midpoint of a sorted data set, as opposed to the average used by other sources such as IBM.

Average time to remediate a cyber attack

Again, the duration of time taken to remediate a cyber-attack can vary and is dependent on various factors such as the size of the organisation, the type and severity of the attack, the level of preparedness and response capability of the organisation, as well as the complexity of the remediation process. Typically, a business will need to take several steps following an attack:

1. Containment – The breach needs to be contained to prevent any further damage, containment measures may include, Isolating affected machines or shutting down systems.
2. Assessment – After containing the breach, an assessment should be conducted to determine the extent of the damage. During this stage, it is important to determine the type of attack, identify the impacted systems and data, and assess the resources required to fully remediate the breach.
3. Remediation – Now it’s time to take action on the remediation steps outlined in the previous step e.g restoring systems, patching vulnerabilities, and restoring data.
4. Recovery – At this stage, the focus shifts towards restoring the systems and data to their pre-attack state, taking necessary steps to make sure that the necessary security measures are in place to prevent any future attacks.
5. Review – Finally, it’s important to evaluate the response process to help identify any areas for improvement.

Since there are many factors that can contribute to the time taken to remediate an attack. There is no one-size fits all statistic demonstrating the average time to remediate a cyber-attack. According to the IBM report entitled “Cost of a Data Breach Report 2022”, the average time to fully remediate was 140 days

Distribution of various forms of cyber attacks

The Mandiant M-Trends report contains some interesting data on the initial infection vector, with exploits (taking advantage of a vulnerability in a computer system i.e an unpatched webserver) still holding the top spot for the most frequently identified initial infection vector. The initial infection vectors that lead to a cyber-attack are listed as 6 in total. Out of these, the most common is through exploits (37%) followed by supply chain compromise (17%) and prior compromise (14%). Phishing accounts for 11% while the vector referred to as “other” stands at 12%. The least common method is through stolen credentials, which are responsible for 9% of initial infections. These percentages are based on identified infection vectors, meaning that in an intrusion where the method of initial infection was determined, 37% of them started with an exploit. It’s worth noting that different reports will show different results. Take the 2022 Verizon report for example, it states that Denial of Service (DoS) is the clear leader, representing 46% of total incidents.

Industry-specific attack trend statistics

It’s challenging to determine the specific type of cyber-attack that a particular industry is targeted by. Various elements, such as the evolving threat landscape and the motivations of the attackers, can influence their decision-making process when selecting a business to target. Despite the lack of clear data, it is a well-established trend that industries that handle sensitive or valuable information are more frequently targeted by attackers. According to the Mandiant M-Trends report, the business/professional services, financial, and healthcare industries are the topmost targeted industries.

Which industry is impacted the most by cyber-attacks? It depends on how you define the impact of cyber-attacks, as different industry sectors may be affected differently. For example, according to data collected by Detica, the pharmaceutical and biotech industry may have the highest cost in relation to intellectual property theft, with second and third place going to electronic & electrical equipment, and software and computer services, respectively.

If the focus shifts to industrial espionage, then the financial services industry would occupy the top spot with mining and aerospace & defence following behind. Certain industries are more prone to types of cyber-attacks. For instance, the healthcare sector tends to experience frequent data breaches, with the number of incidents doubling from 450 in 2016 to over 900 in 2021.

Preventative measures

Investing in a dedicated team

The threats that businesses face is ever changing, and organisations must remain vigilant if they want to protect their assets and sensitive data. The impact a cyber-attack can have on a business can be monumental and potentially fatal. Taking proactive steps to secure a business can significantly decrease the likelihood of a successful cyber-attack and minimise its possible harm. The most effective preventative measure, but also the most expensive, is to invest in a dedicated team to manage, monitor and analyse an organisation’s systems and networks.  So what are the best steps a company can take to prevent a cyber-attack? The following is a list of steps a business can take:

1. Risk Management –Identifying and assessing any potential risks and implementing relevant controls. This helps an organisation better allocate their resources and budget to prioritise risk mitigation measures and improves decision-making. Overall, the aim is to minimise harm and maximise the benefit
2. Asset Management – The process of identifying, prioritising, and maintaining a company’s assets helping identify and assess vulnerabilities that may present a risk to an organisation.
3. Vulnerability Management – Identifying and prioritising the vulnerabilities in an organisation helping to mitigate and remediate potential damage.
4. Logging & Monitoring – Analysing data from various systems and devices within an organisation enabling an organisation to detect and respond to security incidents.
5. Incident Management – Identifying and responding to a security incident or breach in an efficient manner involves creating a plan and carrying out steps for identifying, controlling, and resolving security incidents.
6. Supply Chain Security – Protecting an organisation’s products and services and assets throughout the entire life cycle. This can involve conducting risk management associated with third-party suppliers and ensuring the security of critical components in the supply chain.

Best practice

For companies who cannot afford to establish a dedicated security team, there are alternative steps that can be taken to significantly enhance their security posture:

1. Employee Education & Training – Implementing training to educate employees on the most effective ways to prevent a cyber attack i.e identifying a phishing email, how to handle sensitive data and the importance of a strong password
2. Create a strong password policy – Roll out a strong password policy requiring employees to use a complex password requiring them to change it frequently without reusing passwords.
3. Update Software – Ensure software is up to date with the latest security patches i.e. operating systems, applications, and security software (anti-virus)
4. Implement Two-factor Authentication – Roll out two factor authentication adds another layer of security to login credentials.
5. Perform Regular Backups – Having backup systems in place can assist in the process of restoring operations after a cyber-attack occurs.

Conclusion

In conclusion, cyber-attacks can have a significant and harmful effect on businesses. The financial consequences of a data breach, coupled with the loss of productivity and damage to reputation, can be substantial and have a potentially crippling impact on an organisation. To mitigate the risk of a successful cyber-attack, it is essential for businesses to take preventative measures and proactively implement security protocols as a regular part of their operations.