The Financial Cost of a Cyber-Attack to your Business
Read time 5 mins
It seems like an odd week to pass us by without reports of a new cyber-attack in the business headlines. From infrastructure attacks to large-scale supply chain data breaches, the estimated cost of cyber-crime on the UK economy is significant, currently valued at £27bn.
Indeed, to put things into perspective, if it were measured as a country, cybercrime – which is also estimated to grow by 15% per annum over the next five years – would be the world’s third largest economy, right after the US and China.
Motivated by new vulnerabilities and recent strains upon sectors such as healthcare – as well as capitalising on consequent spikes in online shopping (targeting victims with delivery phishing) and remote working in 2020-22 – cyber criminals are as fast-acting as they are opportunistic. After all, their chosen ‘career’ path offers easy access to people and businesses via email and relative anonymity.
The low risk of being caught, combined with the straightforwardness of conducting phishing attacks (which account for around 83% of cyber-attacks experienced by organisations), has turned cybercrime into a national scale issue. This is precisely why, in its National Security Strategy, cyber threats are recognised by the Government as one of four ‘Tier One’ risks to the UK’s security
How do cyber-attacks affect organisations financially?
Whilst it’s difficult to pinpoint the full financial impact any one cyber-attack can have upon an organisation, they often do result in a substantial financial loss arising from one or multiple of the following:
- Theft of private corporate information (e.g., customer data, financial statements, employee records)
- Theft of financial information (e.g., bank details or payment card details)
- Theft of money
- Disruption to trading (e.g., inability to carry out transactions online)
- Loss of business or contract due to reputational damage
- Staff attrition due to reputational damage
Another important – although often overlooked – financial consideration for organisations is the rising cost of cyber insurance. Cyber insurance covers organisations’ liability if a data breach involving personal data occurs. Depending on the type of policy, cyber insurance can also help offset the costs associated with a cyber-attack, for example, loss of business/trading or the need to bring in IT experts for disaster recovery.
With more policyholders than ever and a higher-than-usual frequency of cyber incidents to deal with during the recent COVID-19 pandemic, it’s no surprise that some insurers found themselves paying out more over the past few years. Of course, as cybercrime continues to rise exponentially, more and more companies have turned to insurers asking for higher policy limits.
Of course, many organisations simply want to help balance the risks of remote working and the new/existing technologies associated with this shift. Equally, many more are worried about the continued rise in phishing attacks and related malware/ransomware occurring globally.
Since hybrid and remote working have proved immensely popular with employees, and many companies have maintained the changes to their working arrangements post-pandemic, insurers have responded by restructuring, widening, and increasing the cost of cyber insurance policies.
Organisations can help keep these costs in check by proactively mitigating risk and employing cyber security services such as proactive threat detection, rapid response capabilities, and vulnerability management.
Recent examples of high-profile cyber-attacks
Across the world, there are now nearly two billion internet users and over five billion mobile phone connections. Organisations depend entirely on the continually available and secure information and communications technology that we all use today.
Still, high-profile attacks targeting healthcare, finance, retail, Government, manufacturing, and energy across 2021 and 2022 have made it crystal clear that security threats are evolving rapidly. Below we take a closer look at what can happen when cyber-attacks successfully breach company systems:
Uber, September 2022
One of the largest companies in the world, Uber, discovered they were hacked in mid-September this year after cybercriminals announced it in the company’s Slack chat. The message, which read, “I am a hacker, and Uber has suffered a data breach, “was followed by several sirens and popcorn emojis. The perpetrator also claimed they could hack into several of the company’s databases, including messaging data. In response, Uber shut down its internal messaging services and engineering systems as they attempted to locate and control the breach.
Uber got in touch with law enforcement and discovered the hacker had compromised an employee’s account. Uber had previously dealt with a cyber-attack and didn’t report it, which led to a legal battle and thousands of dollars in fees. This time they didn’t make the same mistake.
Plex, August 2022
An August data breach into Plex, a media server app used by millions of people, resulted in compromised personal encrypted data belonging to its customers. This included passwords, usernames, and emails being stolen, resulting in massive reputational damage to the company as customers lost their trust in the brand and turned to other providers.
Although the vulnerability was addressed and secured, Plex continues encouraging its customers to reset their passwords and enable multi-factor authentication. Of course, this ought to be standard practice for users of any platform in 2022.
Ronin, April 2022
In April of 2022, Ronin reported that they were hacked for $540 Million, huge losses which had to be reimbursed to customers.
This particular cyber-attack has the dubious honour of being the second biggest crypto hack of all time and, sadly, is sure not to be the last. While it is appealing that cryptocurrency is not stored in a traditional bank, personal and business customers need to understand that many crypto networks don’t have the cyber security they need in place.
GiveSendGo, February 2022
The recent hijacking of a Christian fundraising site, GiveSendGo, took place in response to the Ottawa truckers’ protests against COVID-19 restrictions, resulting in compromised personal details of those who donated to their funds.
In a case of Distributed Denial of Service (DDoS) attack, hackers redirected the protests’ fundraising site – which had raised nearly $10M in support – to another page which included a long manifesto set to music from the Disney film Frozen II. A file was also published which shared the personal information of the 90,000+ donors who had contributed to the initiative via the GiveSendGo website.
Crypto.com, January 2022
The January 17, 2022 attack on Crypto.com targeted 483 users’ wallets, and perpetrators stole approximately $16 million worth of bitcoin and $13 million worth of Ethereum, plus other cryptocurrencies worth about $66,200. This was primarily possible thanks to the hackers’ ability to bypass two-factor authentication and access users’ wallets.
Initially dismissing it as a mere ‘incident,’ Crypto.com later retracted its statement, confirming that money had been stolen and that affected users had been reimbursed. The company also stated that it had audited its systems and worked to improve its security posture.
Better safe than sorry
Remember, it would be a mistake to believe that it’s only the bigger, multi-national corporations that are at risk of major cyber-attacks such as those listed above. Truthfully, companies of all sizes face exactly the same cyber threats and cyber criminals are particularly effective when it comes to breaching the security of those that are apathetic or under-prepared.
Prevention is always better than the cure. The best way to tackle cyber security is to invest time and resources to proactively secure your systems and ensure that your employees receive regular awareness training and education about cyber threats.