A recent government-commissioned report claims that the average cost of a cyber-breach for medium to large UK businesses and charities is a mere £5,220 – despite other industry surveys estimating this number to be closer to £4 million.
But industry experts are warning that the figure appears to be misleadingly low and could lead to complacency about the real impact of a breach; even as security specialists warn that cyber hygiene remains inadequate at many businesses.
The Department of Digital, Culture, Media and Sport (DCMS)’s fifth annual cyber security breaches survey, published March 26, also reports that just 19 percent of businesses or charities that identified a breach lost money or data.
The figures, security experts suggest, seem deeply implausible given the growing tide of attacks they are seeing. (The DCMS report, conducted by Ipsos Mori, disagrees, saying “malware and ransomware” attacks have almost halved in the past two years).
Cost of a Cyber Breach: Who’s Right?
“An average cost of £5220? That just seems really, really odd” said Alyn Hockey, a VP at Reading, UK-based cybersecurity company Clearswift: “IBM are quoting numbers like $3.92 million. There’s such a huge disparity here” said Hockey.
He was referring to IBM’s 2019 Cost of a Cyber Breach Report, conducted by the Ponemon Institute and based on data breach costs reported by 507 organizations across 16 geographies and 17 industries. The DCMS’s cost of a cyber breach survey, meanwhile, was based on telephone surveys of 1,348 UK businesses and 337 charities, with the qualitative work augmented with 30 in-depth interviews.
DCMS: Ransomware’s Halved. FireEye: It’s Up 860 Percent
Other security specialists were dismissive of the DCMS’s findings.
Jens Monrad, Head of Mandiant Threat Intelligence, EMEA, comments, “Although DCMS reports that the number of ransomware incidents have halved since 2017, our FireEye Mandiant ransomware investigations increased 860 percent from 2017 to 2019.”
Clearswift’s Hockey adds: “We had a survey [done ourselves]where we found that 67 percent of healthcare organisations have suffered a cyber-breach. Financial services firms are about 70 per cent.
“So I guess that the bigger the firm, the more accurate the numbers typically are. I think it’s the smaller numbers, the smaller firms that perhaps don’t have a grip. This could be because a lot of these cyber-breaches or attacks go unnoticed” said Hockey.
The DCMS declined to comment and nominated Ipsos Mori to take our questions.
“It’s a Self-Reported Survey”
The company tells us: “The figure of £5,220 is based on the subset of [our survey] sample that admitted to having had a cybersecurity breach in the last year. That won’t include businesses that might have breaches or attacks, but haven’t identified them” admits Jayesh Shah, a spokesperson for Ipsos Mori.
“That’s an admission that we’re aware of in the survey, that we acknowledge and that we can’t get around because it’s a self-reported survey.
“We don’t necessarily consider surveys like the ones carried out at IBM to have a representative sample of medium and large businesses. We consider them to be getting businesses towards the top end, where there will likely be big, high profile breaches. And we also think that those samples tend to be self-selecting.
“So the businesses that want to take part are the ones that do take part, and the businesses that want to take part are probably the ones that have something to say”.
It’s not just the breach cost numbers that confused industry, however.
“Phishing! Malware! Ransomware!”
The categories of phishing, malware and ransomware also raised eyebrows.
“The different attack categories, for me, were a real question mark in the whole report,” remarks Dr Jamie Collier, an intelligence team lead at Digital Shadows.
“The problem is that they’re not inherently distinct.
“If we talk about ransomware, for example, ransomware is a horrible malware, so ransomware is a subset of malware, which is often delivered via a phishing attack. So if you experienced a ransomware attack, you could theoretically say that that was also malware and it was also delivered by a phish. So the point with those different kinds of categories is they’re not clearly distinct”.
Ipsos Mori responded: “Businesses that are telling us that they’ve had malware or ransomware or viruses will tend to be the ones that have very clearly popped up and potentially been successful attacks. So I think what our survey is measuring is what businesses tell us they’ve identified, which is not the same thing as what’s actually happening on the attacker’s side…
“I think the way we think about the findings is, it’s important to know what businesses are identifying and what they’re considering to be attacks on their businesses. They’re saying phishing attacks are at the top by far, compared to the other attacks”.
With HMG doing some excellent work on building UK Plc’s cybersecurity awareness, including via the National Cyber Security Centre, and the World Economic Forum’s 2020 Global Risks Report noting that cyber attacks “today are potentially as destructive as major natural disasters”, it is an open question whether straw polls like this that potentially downplay the impact of cyber attacks add much value to the debate.
If they do one thing however, it is to cast light on how hard it remains to accurately quantify the cost of a cyber attack.
We’d be interested to hear our readers’ thoughts.
Email claudia (.) glover (@) cbronline (.) com