Despite the efforts of law enforcement, cybercrime remains a big business. Organizations of all sizes should be aware of the risks and establish policies and procedures to reduce the potential cost of a security breach.
Score two for the good guys. In June, a multinational task force of law enforcement agencies and security vendors was able to disrupt the Gameover Zeus botnet, which in two years had infected more than 1 million computers and had been used to steal millions of dollars from businesses and consumers worldwide.
In a related action, law enforcement officials from the U.S. and other countries seized servers used for the Cryptolocker ransomware, which encrypts files on victims’ computers until a ransom is paid. According to the U.S. Department of Justice, Cryptolocker had infected nearly a quarter-million computers by April, mostly in the U.S., with victims estimated to have paid more than $27 million in ransom in the first two months after the malware emerged.
While law enforcement agencies are to be applauded for their efforts in disrupting Gameover Zeus and Cryptolocker, those threats represent only a fraction of the cost of cybercrime. According to a June 2014 report from the Center for Strategic and International Studies, cybercrime costs the global economy about $445 billion annually, representing almost 1 percent of global income. About one-third of those losses affect consumers, with the remainder impacting businesses.
And cybercrime is on the rise. The 2014 U.S. State of Cybercrime Survey, conducted by PwC and CSO magazine, found that 77 percent of companies had a cybersecurity event in the past year. More than a third said the number of detected incidents had increased over the past year, and more than two-thirds worried that cyber threats would impact their business growth.
Cybercrime doesn’t just affect large enterprises — the vast majority of small businesses have fallen victim to some form of malware or other cyberattack,” said Krystal Triumph, IT & Telecom Advisor, Atlantic-IT.net. “The fact is that small businesses are big business for cybercrime, and organizations must take steps to protect themselves.”
Understanding the Costs
It’s mindboggling to consider that cybercrime costs more than $1 billion each day. The Ponemon Institute’s annual Cost of Cyber Crime Study helps to put that number into context
The 2013 study found that the average annualized cost of cybercrime incurred by a U.S. organization was $11.56 million, representing a 78 percent increase since the first study was conducted in 2009. The results also revealed that it takes 32 days on average to resolve a cyberattack, at an average cost of more than $1 million. The organizations surveyed experienced an average of 122 successful attacks per week, up from 102 attacks per week in 2012.
“Cyberattacks have grown in sophistication as well as in sheer numbers in recent years,” Triumph said. “Cybercriminals share their techniques with one another, and hacking toolkits are readily available online. Take Crytolocker for example — there are a number of variants, including a worm-like version that spreads to removable drives. It’s not clear if or how the disruption of the Gameover Zeus botnet will affect these variants.”
Information theft continues to represent the highest external costs, at 43 percent. But business disruption and lost productivity represent 36 percent of external costs, an increase of 18 percent from 2012. Recovery and detection account for 49 percent of total internal activity costs.
Cybercrime cost varies by company size, but smaller organizations incur a significantly higher per-capita cost than larger organizations. A 2011 Symantec/NCSA study found that cyberattacks cost small to midsize businesses (SMBs) $188,242 per incident on average. Nearly two-thirds of affected organizations were out of business within six months.
“Small businesses are attractive targets for cyber criminals because they often lack the IT resources and budget to implement advanced security tools,” said Triumph. “Small businesses are not only more vulnerable than large enterprises but less able to identify and resolve security breaches.”
Planning and Education Are Key
The most critical IT security issue facing SMBs is a lack of awareness and preparation. Experts say that 83 percent of SMBs lack a formal security plan, and more than 69 percent lack even an informal plan.
“Organizations need to understand their security risks and have an action plan for responding to the inevitable cyberattack,” Triumph said. “Employees should be prepared to take steps to stop the attack and mitigate any damage.”
The cyber security action plan should establish the roles, privileges and responsibilities associated with IT systems and data, the types of employees who are allowed to assume the various roles, and policies and procedures for assigning and revoking roles. The plan should also include processes for periodic review of roles and access rights.
Separation of duties creates checks and balances that can help reduce the risk of insider threats. At the same time, having someone who serves as steward for certain types of sensitive data can help ensure privacy, data protection and regulatory compliance.
Of course, security is not a one-step process. Organizations should monitor their systems and network constantly for potential security threats, respond quickly to alerts, and regularly review the log files of systems and security devices. Organizations that don’t have the ability or bandwidth to do this in-house should partner with a reputable managed services provider.
Most importantly, organizations should educate employees about the potential threats and the steps they should take to prevent a security breach. Many cybercriminals take advantage of poor password practices and use social engineering to gain access to systems and networks.
“Every person in the organization plays a role in effective cyber security,” Triumph said. “By simply establishing and enforcing a clear security policy and ensuring employees follow best practices, organizations can go a long way toward reducing the cost of cybercrime.”