This is the third article in our 4 part Cybersecurity series:
Many times we read headlines about an accident or event and think to ourselves ‘could that happen to me’. Typically the answer is yes; it ‘could’ happen.
Understanding the impact of such an event determines how or if we take measures to address the threat.
In this installment, we will look at the business impact of cyberattacks (monetary and time). By the end of this article, you will have a clear understanding of the threat cyberattacks pose to all businesses.
Many breaches won’t be discovered for months, most breaches won’t be caught by you, some breaches won’t have an impact on your business.... but all it takes is one fraudulent breach and the cost to you and your customers could be catastrophic.
There are many software, appliances, and utilities for reducing the business impact of cyberattacks. Any IT service provider worth their salt should already have a dependable and capable security stack which they continually monitor for updates and incidents.
As you can see from the statistics above; a properly deployed security stack may have thwarted 20% - 40% of successful breaches in 2019.
The largest opportunity for hardening your cybersecurity readiness lies in your users. If you're asking yourself ‘how is that accomplished’..... We will cover this in our next article.
Data breaches and hacking are now considered the #1 threat facing company executives. (constructionexecutive.com: cyber risk outlook 2020)
These are the upfront known costs of a breach. They do not take into account the impact a breach would have on your customers.
Cybercrime magazine: Cybersecurity facts, figures, predictions and statistics
These statistics have doubled since 2015 and will continue to rise.
You've been compromised, the attackers have encrypted the data your business depends on and they are asking for a ransom.
Your IT department has been diligent in maintaining backups of your data and even have 'air gapped' backups. Beyond that they are super stars as they routinely verify the backups to ensure they can be successfully restored.
Problem solved.... just restore a known good backup and take a few long days to recreate the missing week of data not included in the clean backup (completely overlooking that the cybercriminals have likely been in your network more than 6 months).
A few years ago this approach may have worked. Around 40% of victims payed the ransom back then. Today that number is close to 95%.
Previously cybercriminals only leveraged your data to demand payment. They have now realized, with full access to your network and data, they have a treasure trove of information they can use to persuade a victim to pay the ransom. With access to employee emails, client and vendor contacts, project data, accounting data, messaging data.... they are threatening to:
OK.... I'll pay the ransom
Not so fast. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) may impose a fine if a ransom is paid...... WHAT! - More on this in our 4th Cybersecurity installment.
I’m including this as an eye-opener to how easy becoming a cybercriminal could be. ABSOLUTELY DON’T do this. This is a major driver in the increase of phishing emails in 2020.
Ransomware has been around since the first virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp who is now known as the father of ransomware. Ransomware started gaining in popularity in 2016 when the Hollywood Presbyterian Medical Center shelled out $17,000 in bitcoin after an attack took the hospital offline.
Way back in 2016 :) you needed to have a high level of knowledge about networking, computers, and coding. Now all you need is a little money (sometimes not even that).
You may be familiar with SaaS (software as a service). Cybercriminals are now offering RaaS (ransomware as a service). You purchase access to a RaaS workstation that is loaded with compromised user accounts and start phishing.
In some cases, there‘s no subscription fee or buy-in; many RaaS developers use “affiliate” models where the developer collects all of the ransom money extorted by affiliates, takes out some percentage as commission, and passes on the remainder.
For those thinking of a career change...
Guidelines for Cybercrime in the USA are extremely broad and carry stiff penalties. The maximum penalty for computer abuse crimes under the federal anti-hacking law — known as the Computer Fraud and Abuse Act, or CFAA — is 10 years for first offenders and 20 years for repeat offenders.
These are a few security breach incidents that show the business impact of cyberattacks. This report covers the 3rd quarter (July - September 2020).
Most of these breaches are just that.. a breach of security. The fallout from exposing customer data is not included in these numbers.
Data from Cybercrime magazine: Who’s hacked? Latest data breaches and cyberattacks
I am hoping this article has opened your eyes to the importance of cybersecurity by providing the business impact of cyberattacks.
If you haven’t gone through a cybersecurity readiness assessment I would highly recommend doing so.
If you're not sure where to turn for the assessment; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.
In our final Cybersecurity article: Cybersecurity best practices; we will cover best practices for keeping your data and users safe.
Make sure to check back here in a few weeks for those great tips.
Matthew worked with Agave IT Services as a Brand & Content Consultant through 2020. He managed our company transition from Agave Solutions Inc. to Agave IT Services (dba). From our Logo to our online presence and business operations platform; Matthew created a solid foundation able to support our growth into the future.
We are an IT Services and technology company serving the southwestern United States since 2003. We specialize in supporting, managing, and deploying technologies for the AEC industries' unique requirements. We differ from the typical IT service provider in that we handle ALL your technology needs, freeing you to focus on your core business.