Listen to this article
Shipping containers could not be booked, lawyers were locked out of their laptops and a production line was prevented from churning out chocolates, as serious cyber attacks swept through major companies earlier this year.
Large multinationals from Mondelez to Moller-Maersk, Reckitt Benckiser to FedEx, were forced to warn shareholders that the ‘NotPetya’ cyber attack had hit their bottom line, costing each company hundreds of millions of dollars. They said that the extent of the damage to their finances was not yet known but projected that the year’s revenue would be hit.
The rapidly spreading attack highlighted that what matters for most corporate boards is the cost. Never mind the stories of shady criminals, nation state hacking factories and dark web marketplaces packed with stolen data, this is about the bottom line.
Charles Carmakal, vice-president at Mandiant, part of FireEye, has personally responded to hundreds of breaches. He said some companies are still conducting postmortems to figure out the impact of NotPetya. The June attack, which exploited a vulnerability in Ukrainian accounting software, ended up being much more extensive than WannaCry, a ransomware worm that swept through systems in May.
“It was a state sponsored attack against Ukrainian business and way of life but non-Ukrainian victims were likely collateral damage,” he said. “Most of the cost is the loss of business, the inability to generate revenue but obviously there are possibly millions of dollars worth of IT costs for rebuilding systems.”
The price of a cyber attack varies significantly depending on the kind of breach a company suffers, a company’s size, industry and country, and how well prepared it was for an attack. Overall, the cost of cyber security for companies rose 22.7 per cent last year to an average of $11.7m, mainly due to a rising number of security breaches. The number of breaches is up an average 27.4 per cent year on year, according to the Ponemon Institute’s Cost of Cyber Crime report. The report was based on 2,182 interviews from 254 companies in seven countries.
The most extensive research has been done on the cost of data breaches, the theft of customer information by hackers, as in the US credit rating company, Equifax hack, where the personal information including social security numbers of 144m Americans were stolen, as well as thousands of UK customers, and the Yahoo breach, where details for over a billion accounts were hacked.
This year, the average cost of a data breach fell from $4m last year to $3.6m, partly because of a strong US dollar, according to a report on data breaches by the Ponemon Institute. The cost of losing each record went down — from $158 to $141 per record — but companies did experience larger breaches, where they lost more records.
However data breaches are just one type of attack. Cyber criminals can embark on distributed denial of service attacks, taking a business offline, and nation state actors are stealing intellectual property.
“One client told me intellectual property they valued at $1bn was stolen,” Mr Carmakal said. “That’s a real loss if someone else ends up leveraging the data.”
Larry Ponemon, founder of the Ponemon Institute, said hackers are increasingly adopting destructive techniques, which leave the business without its valuable data. Ransomware attacks, where hackers encrypt computer files and demand a ransom in return for releasing the decryption key, doubled in frequency in the last year to make up 27 per cent of all incidents.
“The ransomware attacks are the start of something that is a lot more sinister,” Mr Ponemon said, adding that criminals could infect industrial control systems, creating huge outages unless companies pay a ransom. “Cyber extortion is the next big wave.”
Other cyber security experts warn that hackers could create chaos by not stealing or destroying data, but inserting the wrong data into the system, forcing companies to question the integrity of their records.
There are many factors an individual company can’t control: the cost of a breach in the US is much higher than in Brazil, the cost of a stolen record is much higher in healthcare than in the media. Some measures can, however, help keep costs down.
Good detection matters: the faster a breach can be identified and contained, the lower the cost. Having an incident response team, participating in threat sharing with other companies and using security analytics can help lower the cost of data breach, according to Ponemon.
The cost of a data breach increases if it involves a third party, if the company has extensive migration to the cloud and extensive use of mobile platforms, according to the report.
To foil hackers companies should consider segmenting their networks, so that when data thieves come, they can’t take everything. Orion Hindawi, chief executive of Tanium, a private cyber security company, says that as companies collect more data, there is more to steal. “A lot of very important data can get stolen at once,” he warns, if you do not segment your customers.
Ed Stroz, co-founder and co-president of Stroz Friedberg, an Aon Company which responds to cyber attacks, says companies need to invest in creating spare capacity in their systems. They should not treat redundancy as a “nice to have” but a “crucial” way to cope with attack, for example, being able to use another production line if one becomes unusable because its controls have been hacked.
With so much uncertainty, companies are inevitably turning to the cyber insurance market for protection. The market is nascent — but that can play to customers advantage, argue many cyber security experts, as insurers are willing to pay out significant costs in order to build their businesses.
Christian Hoffman, national practice leader at Aon Risk Solutions, said more companies are realising that they need to spend on cyber insurance. “From property damage, to product liability, to coverage for business interruption, coverage continues to expand significantly within the cyber insurance market,” he said.
Some insurers are now even expanding directors and officers insurance policies to protect directors for the decisions they made about security and responding to a breach.
When production grinds to a halt, it is now board members being held accountable, not the IT team. The chief executive of Equifax was the most recent leader to resign in the wake of a cyber attack — and directors are now nervous that an attack will not just harm their company, but also themselves.