With the average company now being attacked every four days, terms like phishing, worms, botnets, Trojans, and denial of service (DoS) are fast becoming everyday language to business owners, let alone the IT specialists. There’s no getting around it - hacking is here to stay.
Hacking has become a billion-dollar industry: in the last two years alone, four high-profile data breaches have cost the targeted companies over $1 billion apiece in lost business and recovery costs.
Hackonomics revealed
The US-based Ponemon Institute’s latest annual global benchmark survey of 257 companies has revealed that businesses are being hit harder and more frequently than in previous years.
- In 2014 there were 1.7 discernible cyberattacks per company per week i.e. 1 every 4 days. In 2013 there were 1.4 attacks per week, and 1.3 per week in 2012.
- The average cost of a data hack (across all countries) is $7.6 million (£4.8 million). In the US, the figure is a staggering $12.7 million (£8.1 million); in the UK it’s $5.6 million (£3.6 million).
- US costs are up 10% on last year, but they have leapt by 22.7% in the UK.
- Around 98% of companies experience viruses, Trojans, worms and malware; around 59% experience botnet and web-based attacks and around 50% are affected by phishing, malicious code and DoS.
- Malicious insider attacks (experienced by 35% of businesses) are the most costly, and take twice as long as average to contain (59 days vs the average time of 31 days).
- Cost varies by organisational size: although large companies incur a higher overall cost, smaller organisations have a 4-times higher per capita cost.
- Business disruption is the single most costly external element (38% of total). This includes fines, legal action, and the value of stolen intellectual property. Information loss comprises 35% of costs, and revenue loss 22%.
It won’t happen to me
Avoid dismissing the stats as irrelevant to your own company – it doesn’t just happen to ‘other’ businesses, and it doesn’t just happen to the likes of the Fortune 500 either. Yes, some hackers only target the choicest quarry but, like the rest of us, cybercriminals come in all shapes, sizes and capabilities…the owners of the 30,000 websites who get hacked each day can attest to this.
Also avoid thinking that your business has nothing of such great value as to attract the attentions of a hacker; 59% of the cited cyberattacks were botnet related – attacks where a network is harnessed for malicious activities such as a coordinated DoS, or a point from which to launch other attacks; in essence, they make you look like the criminal instead of the hackers themselves.
Preventing attack
The survey points out that the most effective instruments (in terms of ROI) in mitigating costs are security intelligence technologies, encryption and advanced perimeter controls. Hiring expert security staff with a high-profile leader is critical, as is good data governance.
Good data governance includes the training and awareness of employees, and formal policies which direct how users should robustly protect the integrity of their passwords; after all, they are what hackers want, and safeguarding them is a key component in the successful prevention of a malicious attack.
Strong passwords are those which are long and complex (containing a mix of upper and lower cases, numbers, and special characters). And, as they shouldn’t be easy to remember – and therefore easily hacked - password management tools are the safest option for storing them.
Invest for the long haul
One unavoidable truth is that cybercriminals are hard for the authorities to track down and even harder to bring to book. Some escape detection because not all businesses admit to being attacked; others escape because they live in other countries or jurisdictions where chances of cooperation is problematic – 85% of cases handled by the European Cybercrime Centre involve Russian-speaking organised crime rings.
In the absence of any significant external help from authorities, business owners know that, for now, well-judged security budgets and rigorous self-protection measures are their only option.