Written By: Steven Winter – Corporate Finance
In 1988, Robert Morris, a graduate computer scientist at Cornell University, created a computer worm that spread so rapidly and aggressively that it succeeded in shutting down the better part of the Internet. The Morris worm is today acknowledged as the first major landmark of an era of sophisticated cyberattacks and the introduction of the computer emergency response team. While the US Government Accountability Office estimated the cost of the damage of the Morris virus to have been somewhere between $100,000 to $10,000,000, a 2015 report by Lloyd’s of London, a British insurance company, shows that cybersecurity costs businesses more than $400 billion annually today.
In the US alone, The Wall Street Journal estimates the annual costs of cybercrime to be approximately $100 billion. Another 2015 report by Hewlett-Packard approximates cybercrime to cost the average US firm around $15.4 million in a year. The study shows that cyber-threats face all industries and markets across the globe. From 2013 to 2015, the costs of cybercrime increased nearly threefold, with cybersecurity experts estimating that the cost of data breaches will hit $2.1 trillion by 2019. This is almost four times the costs incurred in 2015. According to the World Economic Forum, a significant portion of the cyberattacks go undetected, and therefore the costs could be even higher.
A 2016 PricewaterhouseCoopers (PwC) report shows cybercrime to be the second most-reported economic crime. The study shows that nearly a third of cyberattack victims this year have incurred losses in excess of $100 million. Reputational damage tops the list as the most damaging impact, followed by legal, investment and enforcement costs. Given that some hackers have devised ways to remain in systems for long periods without being detected, the report estimates that 56 percent of those who say they are not victims may have been attacked without knowing it. The situation is made worse by the fact that most organizations are not adequately prepared to face the risk of cyberattacks. The PwC report shows that only 37 percent of organizations have a cyber-incident response team.
While 61 percent of CEOs seem to recognize cyber-incidents as a significant business threat, the PwC study indicates that many board members are not sufficiently proactive and do not understand their firms’ digital footprints well enough to assess the level of risk accurately. According to the report, only four in ten companies have fully trained personnel to respond to cyber-threats, the majority of which are information-technology security staff. Of the respondent companies, only three in ten have a fully functioning incident-response plan, with nearly half not recognizing the importance of having it in place. The ignorance of top management on the need of being equipped to face cyberattacks has increased the vulnerability of many firms to this form of crime.
Many of the security attacks involve human error and are usually preventable in cases in which the organization has trained its staff on online safety. A study by IBM indicates that 95 percent of all security incidents are a result of human error and usually involve an insider being tricked by hackers to perform an action that opens loopholes for them to access sensitive information. For instance, the hacker may pretend to be a staff member of the organization and trick the insider to send them sensitive data via email. While many organizations have been falling for this trap, it is easily solved by organizations putting in place security controls that prevent sensitive data being leaked out of their firms.
The Zurich Insurance Cyber Risk report warns of an immense threat posed to the global economy by the rising instances of the cybersecurity threat. Given the interconnectedness of the world economy, a buildup in cyber-risks has the potential to cause a global financial crisis of the magnitude of the one experienced in 2008. Unlike the common perception that cybersecurity is only an issue of big corporations, small and medium enterprises have become a principal target for hackers. The organizations that fail to embrace cybersecurity as an essential component of business are likely to find themselves running out of business in years to come.
While cyber-threats are inevitable, an investment in the latest cybersecurity technologies and continued employee education on how cyberattacks occur and what to do is of paramount importance in every organization. With experts predicting a future of more sophisticated cyberattacks, there is no better time than now for organizations to focus on safe practices. As the use of mobile devices continues to gain popularity in organizations, the vulnerability to digital and physical attacks is expected to keep rising. Before embracing any technology, it is high time for organizations to prepare their staff members to face the security challenges associated with any new technology.