Many times we read headlines about an accident or event and think to ourselves ‘could that happen to me’. Typically the answer is yes; it ‘could’ happen.
Understanding the impact of such an event determines how or if we take measures to address the threat.
In this installment, we will look at the business impact of cyberattacks (monetary and time). By the end of this article, you will have a clear understanding of the threat cyberattacks pose to all businesses.
Many breaches won’t be discovered for months, most breaches won’t be caught by you, some breaches won’t have an impact on your business.... but all it takes is one fraudulent breach and the cost to you and your customers could be catastrophic.
There are many software, appliances, and utilities for reducing the business impact of cyberattacks. Any IT service provider worth their salt should already have a dependable and capable security stack which they continually monitor for updates and incidents.
As you can see from the statistics above; a properly deployed security stack may have thwarted 20% - 40% of successful breaches in 2019.
The largest opportunity for hardening your cybersecurity readiness lies in your users. If you're asking yourself ‘how is that accomplished’..... We will cover this in our next article.
$6 Trillion annually - Cybercrime damage costs by 2021
$1 Trillion cumulative - Cybersecurity spending from 2017 - 2021
11 Seconds - How often a business will be hit with a ransomware attack by 2021
These statistics have doubled since 2015 and will continue to rise.
To pay or not to pay
We will include more details on this in our 4th Cybersecurity installment 'Protecting yourself and your company from cyberattacks'
You've been compromised, the attackers have encrypted the data your business depends on and they are asking for a ransom.
Your IT department has been diligent in maintaining backups of your data and even have 'air gapped' backups. Beyond that they are super stars as they routinely verify the backups to ensure they can be successfully restored.
Problem solved.... just restore a known good backup and take a few long days to recreate the missing week of data not included in the clean backup (completely overlooking that the cybercriminals have likely been in your network more than 6 months).
A few years ago this approach may have worked. Around 40% of victims payed the ransom back then. Today that number is close to 95%.
Previously cybercriminals only leveraged your data to demand payment. They have now realized, with full access to your network and data, they have a treasure trove of information they can use to persuade a victim to pay the ransom. With access to employee emails, client and vendor contacts, project data, accounting data, messaging data.... they are threatening to:
Target your employees
Impersonate your company to infiltrate your vendors and customers
Post or sell your data to competitors or other hackers
Release information about your company breach to the public
I’m including this as an eye-opener to how easy becoming a cybercriminal could be. ABSOLUTELY DON’T do this. This is a major driver in the increase of phishing emails in 2020.
Ransomware has been around since the first virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp who is now known as the father of ransomware. Ransomware started gaining in popularity in 2016 when the Hollywood Presbyterian Medical Center shelled out $17,000 in bitcoin after an attack took the hospital offline.
Way back in 2016 :) you needed to have a high level of knowledge about networking, computers, and coding. Now all you need is a little money (sometimes not even that).
You may be familiar with SaaS (software as a service). Cybercriminals are now offering RaaS (ransomware as a service). You purchase access to a RaaS workstation that is loaded with compromised user accounts and start phishing.
In some cases, there‘s no subscription fee or buy-in; many RaaS developers use “affiliate” models where the developer collects all of the ransom money extorted by affiliates, takes out some percentage as commission, and passes on the remainder.
Guidelines for Cybercrime in the USA are extremely broad and carry stiff penalties. The maximum penalty for computer abuse crimes under the federal anti-hacking law — known as the Computer Fraud and Abuse Act, or CFAA — is 10 years for first offenders and 20 years for repeat offenders.
Security Breach News
These are a few security breach incidents that show the business impact of cyberattacks. This report covers the 3rd quarter (July - September 2020).
Most of these breaches are just that.. a breach of security. The fallout from exposing customer data is not included in these numbers.
Sep. 28. Wall Street Journal reports a data thief has posted online documents stolen from the Clark County School District in Las Vegas. Documents include Social Security numbers, student grades, and other private information. It’s believed the data was posted to a hacker forum where it could be easily viewed because the district, which has about 320,000 students, refused to pay a ransom to destroy the data.
Sep. 23. Comparitech researchers reveal an unsecured online database belonging to Town Sports, which operates a chain of gyms, fitness clubs, and spas mainly in the Northeast United States, exposed to the internet the records of 600,000 members and employees. Comparitech says the database was exposed for at least 11 months before it was secured.
Sep. 15. The parent of Dunkin’ Donuts agrees to pay $650,000 in fines and costs to settle a lawsuit stemming from a data breach from 2015 to 2018. Under the settlement, Dunkin’ Brands Group agreed to notify customers affected by the attacks, reset their passwords, and provide refunds for unauthorized use of the chain’s value cards. Dunkin’ neither admitted nor denied wrongdoing as part of the agreement.
August 2020 - 14 incidents:
Aug. 20. U.S. Justice Department charges Joseph Sullivan, 52, former chief security officer at Uber, for allegedly paying hackers $100,000 to hide a 2016 data breach at the company that affected 57 million users and drivers. The DOJ complaint also alleges Sullivan deceived the new management of the company about the incident after it hired a new CEO in 2017.
Aug. 19. South African branch of consumer credit reporting agency Experian discloses data breach. It says it gave personal details of South African customers to a fraudster posing as a client. Although the company did not say how many customers were affected by the breach, South African Banking Risk Centre, an anti-fraud and banking non-profit, claims the breach affected 24 million South Africans and 793,749 local businesses.
Aug. 3. Sky News reports Garmin, a maker of navigation and fitness devices, paid a multi-million dollar ransom to a ransomware gang that disrupted the company’s computer systems. It says the ransom was paid to the hackers through a third party, Areta IR, which specializes in ransomware negotiations.
Jul. 1. Researchers at Comparitech report that since 2005, K-12 school districts and colleges and universities in the United States have experienced more than 1,300 data breaches, affecting more than 24.5 million records. It adds that California schools and universities have had the most records affected during the research period and that public institutions are affected by breaches at a higher rate than private schools.
I am hoping this article has opened your eyes to the importance of cybersecurity by providing the business impact of cyberattacks.
If you haven’t gone through a cybersecurity readiness assessment I would highly recommend doing so.
If you're not sure where to turn for the assessment; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.
Make sure to check back here in a few weeks for those great tips.
Matthew worked with Agave IT Services as a Brand & Content Consultant through 2020. He managed our company transition from Agave Solutions Inc. to Agave IT Services (dba).
From our Logo to our online presence and business operations platform; Matthew created a solid foundation able to support our growth into the future.
You can find
Agave IT Services
We are an IT Services and technology company serving the southwestern United States since 2003. We specialize in supporting, managing, and deploying technologies for the AEC industries' unique requirements. We differ from the typical IT service provider in that we handle ALL your technology needs, freeing you to focus on your core business.