The past few years have seen a staggering increase not only in the number of instances of cybercrime but also in severity. This is in part due to the changing nature of cybercrime, which is now recognised by criminologists as moving away from “script-kiddie” amateurs to sophisticated organised crime.
The Royal United Service Institute (RUSI) Threat Assessment of Cybercrime to the UK indicated that cybercriminals are now operating on very sophisticated levels, adopting business-like structures and methods to drive profits, improve efficiencies and increase their return on investments.
With the ever-increasing number of cyber attacks, what was once considered solely a concern of those working within IT is now a responsibility of the entire C-suite.
With that in mind, Veracode partnered with the Centre for Economics and Business Research (CEBR), one of the UK’s leading independent commentators on economic and business trends, to study corporate-level British executives’ attitudes to cybercrime and its economic cost to British businesses.
What is the cost to British businesses?
Cyber attacks pose a significant financial threat to the UK economy, with CEBR estimating the total cost to British firms at £34 billion per year, of which approximately £18 billion is from lost revenue. The issue is widespread, with 15% of the businesses questioned indicating that they had directly lost revenue due to a cyber security breach.
While it might seem extraordinary that British firms have such a significant collective revenue loss with only 15% businesses indicating it as a direct result of a breach, it is clear that some companies have more to lose than others.
For example, while financial services firms lost on average only 1.5% of revenue due to a cyber security breach, the revenues of a typical company within this industry mean the losses are likely to be in the range of several billion pounds.
But lost revenue is just one part of the story. Loss of reputation or brand damage poses a serious threat to listed companies, with many companies that suffer from security breaches consequently seeing a drop in their share price. For example, AOL’s share price fell nearly 2% within just three days of its security breach in April 2014, then falling a further 24% within a month.
The loss of competitive advantage due to the theft of intellectual property such as proprietary product designs and business plans is another fear cited by the C-suite. However, surprisingly, this was of significantly less concern to British executives than to their US counterparts, who listed it among their top three cyber security worries in a separate NYSE study. Though this may in part be due to a lack of awareness, when considering that 34% of cybercrime in UK businesses is actually tied to IP theft.>
Investing in security
It is clear that companies in all industries have some difficult and costly decisions ahead to help protect themselves against cyber attacks. In the utilities, energy and mining industry alone, 60% of the firms questioned stated that they expected to increase their IT spending to protect against breaches.
While 70% of CTOs think that their current cyber security policies stifle innovation, this may indicated a need for more automated and streamlined security processes that don’t slow innovation down – such as using automated cloud-based security services instead of manual (and time-consuming) penetration testers.
Having the right structures in the place can save not only reputation but money in the long term. For example, of the £34 billion total cost to British firms per year, £16 billion of this was earmarked for increasing IT spending as a result of breaches.
Securing against cyber attacks doesn’t have to cost millions. In fact, often the same attack vectors are reused by cybercriminals who profit from companies that don’t guard against common and easily-exploitable vulnerabilities such as SQL Injection.
This view is supported by the findings of the Verizon 2015 Data Breach Investigations Report (DBIR), which indicated that in 60% of cases, cybercriminals attacking an organisation are able to compromise systems within minutes.
Web application attacks also remain a top threat, with 99.9% of software vulnerabilities that were exploited in breaches having already been publicly-known for more than a year (think of known vulnerabilities in reusable components such as Heartbleed and Shellshock). This clearly indicates a need for more rigorous patching processes.
This is one of five key controls recommended by the DBIR to help companies prevent a breach: web application security, two-factor authentication, patching web services, verifying need for Internet-facing devices, and logging and verifying outbound traffic.
At all levels of a company, it is important that everyone is conscious that no business is safe from cyber attacks. According to the Department for Business, Innovation and Skills (BIS), 81% of UK business suffered from a breach in 2014. Businesses that have not yet been subjected to attack should not be asking why, but when.
By ensuring that they have the right safeguards and responses in place, companies can significantly reduce the economic and reputational impact of a breach.
Sourced from Chris Wysopal, CTO.Veracode