The rapid growth of cyber-attacks has been given further traction by the COVID-19 pandemic in 2020 – yet most businesses remain underprepared for this very real threat.
The first cyber-attack to gain mainstream media attention began with good intentions. Back in 1988, a graduate student in the US called Robert Tappan Morris developed a program to assess the size of the internet. Unfortunately for him, he inadvertently executed the first Distributed Denial of Service (DDoS) attack – infecting thousands of computers. Fast-forward over 20 years and the exponential growth of the internet has caused cyber-attacks to evolve into the world’s biggest criminal growth industry – it’s estimated that cybercrime will cost us $6 trillion annually by 2021.
And it’s easy to see why: there has been a 67% increase in security breaches since 2014, resulting in a 72% rise in the average cost of cybercrime according to research by Accenture. If we place this data under the microscope, we can see how cybercriminals are conducting these malicious attacks and the alarming rate at which they are increasing:
- Ransomware attacks against businesses rose by 350% in 2018
- Spoofing or business email compromise attacks against businesses rose by 250% in 2018
- Spear-phishing attacks against businesses rose by 70% in 2018
By 2019, the number of UK firms reporting a cyber-attack had jumped to 55% – up from 40% the previous year. Even more concerning was the admission from most businesses that they are under-prepared for potential breaches. This head in the sand approach – typically amongst SMEs – is often born from the misconception that they are unlikely to be targeted by cybercriminals due to their size.
Whatever the reason for having poor cybersecurity measures in place, these businesses became increasingly vulnerable this year after society was blindsided by a catastrophic event: the COVID-19 pandemic. The rapid spread of the virus around the globe created perfect conditions for cybercriminals to exploit: uncertainty, large-scale remote working and increased online activity. Cyber-attacks have subsequently escalated in frequency and scope since lockdown restrictions were implemented in March.
These unscrupulous individuals are cashing in on increased workloads, unfamiliar ways of working and heightened stress levels by developing themed phishing and social engineering attacks that use COVD-19 as bait – and the impact is staggering:
- Email scams related to COVID-19 surged 667% in March alone
- By May, almost half (46%) of global businesses had experienced at least one cybersecurity threat
- In May, the FBI identified an 800% increase in reported cybercrimes
Cyber-attacks: the reality
If your business has not already been targeted by a cyber-attack, it’s a case of when not if. In fact, you may already have fallen victim but do not know it yet: cyber-attacks resulting in costly data breaches can be executed in a matter of seconds, yet businesses often take weeks to realise – on average, it takes around 197 days to identify, and 69 days to contain a breach. That’s almost seven months – imagine how much sensitive data could be compromised in that time.
The damaging impact of a successful cyber-attack can be divided into three broad categories: financial, reputational and legal.
- Financial loss – around 29% of businesses that face a data breach end up losing revenue – from the cost incurred containing the breach and compensating affected customers to a reduction in share price and valuation.
- Reputational damage – we are connected like never before, meaning news travels fast – especially bad news. The impact of an avoidable breach that compromises customer data can be devastating and long-lasting: lost confidence, negative press, identity theft and difficulties attracting new customers, future investment and new employees.
- Legal action – data protection and privacy laws require businesses to securely manage and store all personal data they hold. Failure to deploy appropriate security measures, resulting in data being compromised, might result in regulatory sanctions – including hefty fines and settlements.
What’s your plan of attack?
If you were not acutely aware already, the COVID-19 pandemic has reminded us that cybercriminals are constantly developing new methods to circumvent defences and compromise valuable data. So, why do some businesses still fail to implement a proactive approach to cybersecurity? After all, you wouldn’t think twice about creating a disaster recovery plan, taking out contents and building insurance or conducting fire drills.
If your business falls into this ‘must do better’ category, it’s time to take cyber seriously before it’s too late. Simply responding reactively to these sophisticated – and constantly evolving – threats will expose your business to potentially devastating risks.
While all organisations are different – meaning each must set its own direction and tone for cybersecurity – they should have a common goal: the development of a cybersecurity strategy that focuses on establishing and implementing proactive and meaningful security controls and culture.