We now know that a data breach or cyber attack is most likely going to hit your business – CBR has told you how to spot a breach and how to react in the critical first hours. CBR has detailed what big companies like TalkTalk have learnt from high-profile hacks on their systems, while also listing tools in which to protect your business.
However, the numbers don’t lie. Businesses are still not doing enough to protect their company’s assets and cybercriminals are reaping the benefits – you only need look at the facts and figures below.
For all those who are slow to the cybersecurity mark, may these figures act as a warning and hopefully spur you on to deploy policies, infrastructure and strategy to protect your business.
Cyber crime costs by 2019
Fuelled by the rapid digitisation of consumers’ lives and enterprise records, Juniper Research predicts the cost of data breaches to hit $2.1 trillion globally. One of the reasons that this number is set to rise is that cyber security is continually evolving, with threats and the means in which hackers attack continually changing. Rob Lay, Customer Solutions Architect in UK & Ireland at Fujitsu, told CBR:
"One of the biggest challenges that organisations face is the ever-changing nature of threats. Large, high-profile attacks constantly show us that cyber threats are forever evolving and becoming far more targeted. In addition to this, businesses utilise data that is much more distributed than ever before, and are using it in a more flexible and mobile way. Maintaining both control of this data along with who has access to it, and a well understood risk profile is an increasing challenge.
Average total cost of a data breach
According to the 2015 Cost of Data Breach Study, the average consolidated total cost of a data breach has increased 23% since 2013. The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154.
Average recovery costs of a data breach
According to NTT Com Security’s Risk:Value Report, business decision makers expect a data breach to cost upwards of £1.2m in recovery costs. However, the £1.2m figure does not account for hidden costs like reputational damage, brand corrosion, legal fees and executive changes. This means that the figure could be much, much higher than the one-off £1.2m cited by NTT Com Security.
Speaking to CBR, Garry Sidaway, SVP Security Strategy at NTT Com Security, said: "The threats we face today will not be the threats we face tomorrow – and the way we work today will not be the way we work tomorrow. Risks must be put into context and appropriate measures be taken to protect an organisation’s key assets. With this comes the ability to respond efficiently and effectively to a breach once it has been detected is essential because, if handled appropriately, can save significant time and money."
Most expensive cyber attack
One of the world’s most costliest data breaches hit Epsilon, the world’s largest email marketing firm, in 2011. With damages estimated at between $225 million and $4billion, the company fell victim to a spear phishing attack.
UK businesses hit by cyber attacks
Two-thirds of large UK businesses have experienced a cyber breach or attack in the last year, according to the 2016 Cyber Governance Health Check. The research, conducted by the UK government alongside big auditors such as PwC and EY, found that the most common attacks detected involved viruses, spyware or malware. Commenting on the findings from the research, Paul Farrington, senior solution architect at Veracode said:
"The tidal wave of cyber attacks hitting British businesses every day is a reminder that there is no room for complacency in the connected world. The survey highlights that industry and institutions are placing inappropriate levels of resources to tackle the prospect of cyber attacks. There is a perception that breaches happen to other firms, and the risk of attack is minor. The reality is that most firms are attacked – too many of these attempts are successful."
Number of days to detect a threat
It takes a median of 205 days for organisations to detect a breach or cyber attack, according to FireEye’s 2015 M-Trends threat report. This means that attackers have free reign over systems for a huge amount of time – time in which they can streal data, infect and infiltrate other connected systems and c ultimately cripple an organisation’s infrastructure. It is not all bad news however, the number of days to detect a threat has improved, with 229 the median number of days needed to detect a threat in 2014.
James Chappell CTO and co-founder of Digital Shadows told CBR: "Most experts agree it takes the average firm around 200 days to detect a breach during which time a significant amount of damage can occur. Too many firms only find out they’ve been breached when for example, their proprietary engineering designs or employee user names and passwords are available for purchase on the dark web. Minimising this time to detection is critical, or better still preventing it entirely. A starting point for firms is to look at external sources of information in order to gain a more comprehensive awareness of the threats they face."
Businesses who not able to react to cyber attacks
According to NTT Com Security’s 2016 Global Threat Intelligence Report (GTIR), 77% of organisations have no capability to respond to critical incidents. Trend data from incident response activities over the course of the last 3 years shows that just 23% of organisations are capable or reacting to a cyber attack.
A good Incident Response plan, according to Rashmi Knowles, Chief Security Architect, EMEA, RSA, is "a comprehensive, premeditated approach to protecting applications, data and information infrastructure from cyber-attacks. Process, people, procedures and technologies are core elements of a thoughtful incident response plan".
Potential victims of eBay data breach
In March 2014, eBay suffered a breach which compromised encrypted passwords and other personal information. The e-retail giant had to ask 145m users to change their account passwords, following the use of stolen credentials by hackers to access accounts.
Businesses with incident response plans
Drawing on the findings from the 2016 Cyber Governance Health Check once again, a paltry 10% of UK businesses had an incident management plan in place in order to respond to a breach or attack. Just a third of all firms had formal written cyber security policies – it was these findings which Jens Puhle, UK Managing Director of 8MAN, found to be the most surprising take-away from the government-backed research.
He said: "One of the most shocking revelations in the Government’s research is the fact that just 10 per cent of UK businesses have an incident management plan in place. Given that two thirds of large businesses were breached this year alone, organisations need to think in terms of "when", not an "if" they are attacked, and it is vital they have a solid response plan in place.
"Businesses that are equipped with the ability to identify how the breach occurred and which systems were affected will be able to mitigate the damage the impact and resume normal operations much sooner. They will also be able to take control of the aftermath, disclosing the incident on their terms and working with the authorities to catch the perpetrator."
Customers lost by TalkTalk
In total, the firm lost 101,000 customers and £60m as a result of the attack. This is double the cost of the attack that had previously been predicted by the firm’s management. In November 2015 , CEO Dido Harding told the BBC that the costs of the attack would be between £30-£35m.
The firm said that there had been a "higher churn" of customers, with people choosing not to renew contracts. However, Harding said that half a million customers had taken up the firm’s offer of an unconditional upgrade.
Churn for the quarter was -2.1%, and the firm estimated that about 0.6% of that was as a result of the cyber attack. It also attributed some of the loss of customers to closing down its online sale and service channels in response to the cyber attack.
"Both churn and new connections recovered during December and January and independent external research has revealed that customers believe that we acted in their best interest. In fact trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident," said Harding.