By Valentina Pasquali
The frequency and severity of cyberattacks on businesses and organizations across the world have exploded in recent years, and so have the direct and indirect costs they inflict.
Global finance executives spend many a sleepless night worrying about the many risks—old and new—faced by their companies in the current global business environment. An increasing number of those nights are dedicated to the varied ways that their firm could be the target of a cyberattack. Putting an exact figure on what cyber risk means for global business is not easy, but most market watchers agree that the threat is real and still rising. And although executives are increasingly aware of the problem, they continue to lag behind hackers in terms of cyberthreat management. Whether businesses suffer from an underinvestment problem or one of inefficient spending—and views on this issue differ—corporate focus on protecting company’s data, payment systems and overall IT infrastructure will only keep growing for the foreseeable future.
For several days at the end of March the Switzerland-based organization Spamhaus, which manages databases of spammers and blacklisted users for the benefit of Internet service providers, corporations and governments, came under one of the biggest cyberattacks to date. It not only brought down the project’s website and email servers but also slowed down the Internet across Europe.
Around the same time, computer systems at three of the biggest banks and the top two broadcasters in South Korea were the target of a separate cyber hit. Customers were left without access to ATM machines, and some 30,000 computers were damaged.
In the United States, footwear retailer Genesco is suing Visa after the credit card giant fined it $13 million as a result of a 2010 data breach suffered by the company. The penalty was imposed on Genesco because it failed to comply with the Payment Card Industry Data Security Standard, created by Visa, Master Card and American Express, which demands that companies using online transactions abide by certain procedures.
"We are already investing too much but are still ineffective."
– Professor Rainer Böhme, University of Münster
A recent survey by Deloitte of almost 2,000 executives revealed that 79% were not confident in their company’s current level of protection but only 58% had plans to boost spending on cybersecurity in the next year.
Böhme, University of Münster: Companies are wasting a lot of money
There are several reasons for this disconnect. First of all, cyberattacks are still difficult to detect. According to a recent study by Mandiant, a provider of corporate cybersecurity systems, hackers spend an average 243 days on a victim’s network before they are even identified. Second, cybersecurity is a cost-saving and not a revenue-generating measure, which makes it a less appealing investment to executives, who must always keep an eye on share price. Finally, it can be hard for IT specialists to make the case for higher cybersecurity budgets because when a job is well done, there are no breaches that need fixing to point to.
“This is a resource allocation decision,” says Lawrence Gordon, a professor at the Robert H. Smith School of Business of the University of Maryland. “How should companies go about deciding how much to spend on IT security?”
According to a 2012 survey of technology managers in the US conducted by US research center the Ponemon Institute and Bloomberg, organizations that want to achieve the highest possible level of IT security—capable of repelling 95% of attacks—would have to boost spending from the current $5.3 billion (combined) to $46.6 billion, nearly a ninefold increase. Even to be able to stop just 84% of attacks, they would have to approximately double their investments.
Shackelford, Indiana University: Few firms are demanding data about breaches
Not everyone is convinced that the solution is to spend more money. “We are already investing too much but are still ineffective,” says Professor Rainer Böhme of the University of Münster in Germany. “Companies are wasting a lot of money; they are buying antivirus software because everybody tells them to, and if they don’t do it they are personally liable.”
For Professor Gordon of the University of Maryland, it is important to remember that a 100% level of security is neither attainable nor particularly desirable, as it would not offer a good return on investment. The key, he says, is finding the “optimal level” of investment. In 2002, together with Professor Martin Loeb, also of the Smith School of Business, Gordon came up with a model to help companies think more clearly about cybersecurity and the level at which cyber security investments provide the best ROI. “On average, you don’t want to spend more than approximately 37% of potential losses,” he notes.
BY THE NUMBERS
Many have tried to put a price tag on the global cost of cybercrime. IT security firm McAfee came up with a global estimate of around $1 trillion for the year 2010. However, this assessment has been disputed, and critics have pointed out that businesses like McAfee have a conflict of interest in publishing eye-catching numbers on cybercrime while pushing the sale of cybersecurity products.
According to Scott Shackelford, assistant professor of Business Law and Ethics at Indiana University’s Kelley School of Business, there are other reasons why we don’t have a clear picture yet. “First, few are demanding data about breaches,” he says. “Second, companies rarely feel compelled to compile, organize and transmit data on their own. And third, there may not be sufficient perceived benefit in reporting cyberattacks because of a lack of confidence in law enforcement.”
In 2012 the Ponemon Institute tried, nevertheless, to get some numbers out. It surveyed executives at dozens of companies and organizations in five countries and found that, as a result of cyberattacks, they had spent an annualized average ranging from a high of $8.9 million in the US to a low of $3.2 million the United Kingdom, with in-between points of $6.0 million in Germany, $5.1 million in Japan and $3.4 million in Australia.
Another study run by Ponemon in the US, the UK, Germany, Brazil and Hong Kong found that the price an average firm paid to recover from a single successful cyberattack went from a high of $298,359 in Germany to a low of $106,904 in Brazil.
Costs come in a variety of forms. They include direct disruption of operations and payment transactions and theft of sensitive data such as trade secrets and credit card information. But they also generate indirect losses such as legal liability and long-lasting harm to a business’s brand. They may even damage the stock market value of publicly traded companies. A 2006 study by four Japanese researchers found that the Japanese stock market showed “statistically significant reactions around 10 days” after news reports of information security breaches came out. “Japanese market responses were slower than in the US, where they happened the next day,” says Kanta Matsuura, professor of information security and security management at the University of Tokyo and one of the co-authors of the study.
GROWING AWARENESS AND A BOOMING INDUSTRY
With news of successful cyberattacks dominating global headlines, the corporate response is mounting. IT research and advisory company Gartner estimates that the five-year compound annual growth rate of the worldwide cybersecurity market between 2010 and 2016 will hover around 9%, nearly double that of overall global IT spending. A report published in February 2013 by Burning Glass, a group that produces job market intelligence, found that in the US demand for cybersecurity jobs has expanded 3.5 times faster over the past five years than for computer jobs overall and 12 times faster than the labor market as a whole.
Insurance companies are also launching new cyberproducts, and premiums are rising. According to the Betterley Report, which monitors this industry, premiums for 2012 came close to $1 billion in the US alone and are predicted to rise by another 20% this year.
“AIG handled a claim for a national retailer who wasn’t able to process in-store and online credit card transactions for nearly 48 hours,” says John Gambale, head of professional liability & Lexington Financial lines at AIG, the insurance giant that now underwrites cyber risk policies in 30 countries around the world. “Because the insured purchased network interruption coverage, AIG worked with a forensic accountant and the insured to calculate the lost profits of $1.4 million and then processed the reimbursement in full.”
Professor Shackelford of Indiana University recalls the case of Brookeland Fresh Water Supply in East Texas, which had $35,000 stolen by cybercriminals. Thanks to an insurance policy, the company ended up paying only a $500 deductible. “This form of insurance can be a godsend for smaller firms with cyber risk exposure,” says Shackelford. “The concern, however, is that it will make firms that much more reactive, putting off proactive investments until they are forced to.”
Primary sectors victimized by corporate cybercrime
This is the choice John Perry faced in 2006 as he became the director of information services at NACE, a nonprofit focused on corrosion mitigation with an annual gross revenue of about $30 million. “When I arrived, the security of the network and Web server was very relaxed and intrusions were common, on an almost monthly basis,” he says. “I would definitely have considered buying into something like that [insurance] back then.” Instead, he decided to increase his IT security budget. Perry says he now invests around $35,000 a year in cybersecurity. “As you might imagine, in 2006 that number [the organization’s IT security budget] was in the hundreds, not thousands,” he adds.
The fight against cybercrime is far from over. Since the battle between intruders and defenders is a cat-and-mouse game and as businesses are growing more and more reliant on the Internet, corporate cybersecurity costs will continue to rise. And so will IT security budgets.
NOBODY IS IMMUNE
Cyberattacks used to be something only for governments—and for private companies that operated in the national security, financial services and critical infrastructure sectors—to worry about. Nowadays, everybody is a potential target for hackers. And anyone might be a hacker.
“We see the continuation of a trend over the next couple of years we call ‘democratization of digital skills,’ with hacking becoming available to average people through downloadable, inexpensive software,” says Richard Torrenzano, chairman and chief executive of the reputation management firm Torrenzano Group. “Everyone will have 15 minutes of shame in the future.”
The 2013 Trustwave Global Security Report, assembled by IT security services provider Trustwave, found that last year the primary sectors victimized by cybercriminals were retail (with 45% of the incidents analyzed), food & beverage (24%) and hospitality (9%).
Small and medium-size enterprises are in just as much danger as large corporations, partly because they cannot afford the same level of security.
“Nobody is immune from this problem,” says Kelly Bissell, who leads Deloitte’s Information & Technology Risk Management practice. “Anyone that has anything of value is a target for attack, and if you don’t have anything of value, then you are not really a business.”
THE NEW CHIEF ELECTRICITY OFFICER
A comparison is often made between cybersecurity and electricity. For companies to run efficiently, both have to be there at all times, but the fact that they are doesn’t get anybody excited. Rather, when we turn on a switch and the room remains dark, we get angry. The same is true for IT defenses—it is when a breach occurs that we suddenly pay attention to them.
Back when electricity was as new and exciting as the Internet is today, several big companies in the US had a chief electricity officer in charge of managing fluctuations in the power supply. “But the reign of the chief electricity officer was brief,” notes technology writer Nicholas Carr, in his blog. “As with electricity, IT is fated to become a basic component of traditional business functions rather than a specialized resource requiring its own managerial bureaucracy.”
This future, however, is still years away, especially in terms of cybersecurity, as systems remain highly vulnerable and the technology involved continues to change. For the time being, the role played by corporate IT security will continue to expand across the world.