Cyber crime costs companies $445 billion per year
Inspiring fascination and mystique, hackers have long captivated the imagination of the public while the exorbitant costs of their cyber crime accrue in relative silence. According to a 2014 study by The Center for Strategic and International Studies and security firm McAfee (now known as Intel Security Group), the estimated global cost associated with hacking has reached a staggering $445 billion per year.
A study released by the Ponemon Institute in the same year says that the hacking phenomenon costs individual U.S. businesses on average $12.7 million, while companies in other parts of the world trail close behind.
These stunning losses are composed of quantifiable costs such as financial and intellectual property (IP) theft, as well as the soft costs associated with lost business opportunities and repairing a company’s infrastructure and reputation following a hack. According to McAfee, “While criminals will not be able to monetize all the information they steal, the victim has to spend as if they could use all the stolen data. The aggregate cost for recovery is greater than the gain to cyber criminals”.
Despite many moves towards heightened network security, a number of major companies have nevertheless fallen victim to sizable breaches in the last five years. Among these: U.S. retail giant Target, Japan-based Sony Entertainment, and major Saudi oil distributor, Aramco.
Retail businesses are attractive to hackers largely because they are reservoirs of consumer identification and financial data and have frequently proven to be unsound in terms of cyber security.
A hack on Target in late 2013 put the credit and debit information of 40 million customers into the hands of cyber criminals, prompting many to argue that Target’s security systems were dangerously under-equipped. The ensuing fallout prompted the resignation of its CEO Gregg Steinhafel and CIO Beth Jacob.
An investigation revealed that malware installed on Target’s security and payment system in the days leading up to retail’s Black Friday was designed to capture any credit or debit card swiped during retail’s busiest weekend and immediately send it to a server controlled by cyber criminals.
The collective cost to replace the stolen credit cards was estimated at $200 million, which prompted a number of small banks to pile on lawsuits against Target.
Following court proceedings, Target was required to expand data security, provide security training to employees, and designate a new chief information security officer. Additionally, $10 million was allocated to reimbursing customers for the inconvenience and time lost fixing fraudulent charges on their accounts.
Multinational conglomerate Sony Entertainment has also been accused of less than secure networks after the brand suffered repeated breaches, with some estimates claiming ten breaches in the past four years. The most notable of these were the 2011 hack wherein Sony’s PlayStation network was put out of service for 23 days by the group Anonymous, and the 2014 Hack by North Korea pending the Hollywood release of the film The Interview.
During the series of attacks on the PlayStation network by “hacktivist” group Anonymous and its offshoots, subscriptions and purchases were halted when the personal information of nearly 100 million users was compromised. Sony estimates the hard costs of the incident at around $171 million. The entire cost related to the hacks, which includes bolstering defenses and increasing security, is estimated to be closer to $250 million.
Though Sony suffered an onslaught of minor breaches in the years that followed, another devastating hack made breaking news in 2014, this time at the hands of North Korea. The November attack came as Sony Entertainment was due to release The Interview, a comedy about an assassination attempt on Kim Jong Un, on Christmas day. The hackers wreaked havoc on the company by releasing sensitive material ranging from embarrassing company emails to the script of the yet-to-be-released James Bond film Spectre.
Although Sony took a modest $15 million hit to its finances as part of “investigation and remediation costs”, the subsequent (and controversial) decision to pull The Interview from theaters are estimated to have cost the company $100 million.
3. Saudi Aramco
Beyond well-publicized retail and entertainment security breaches, there have been a number of more costly infiltrations of corporations that have managed to go unnoticed by the public eye.
In one such case, a 2012 hack on petroleum and natural gas company Saudi Aramco has been cited as the most expensive hack in history. When a computer virus wiped out nearly 35,000 of the company’s computers, the Saudi Arabian oil distributor was forced to take its network completely offline, forcing the world’s most valuable company to operate via typewriter and fax.
Unable to process payments, Aramco, which provides at least 10% of the world’s oil, temporarily stopped the sale of oil to gas trucks. After 17 days, the company resorted to giving the oil away for free in order to fulfill Saudi needs. In addition to these losses, the company paid for an army of security personnel to begin building a reinforced network, and new computer software, including 50,000 hard drives bought at top dollar straight off factory floors in Southeast Asia. While the total cost has not been publicly quantified, the hack is estimated to have been the most expensive to date.
Protecting your business
Total losses related to cyber crime around the globe remain difficult to quantify because incidents often go unreported. Companies do not want to draw attention their vulnerabilities lest they attract more hackers, unwanted publicity, or a hostile takeover says Richard Power, editorial director of the Computer Security Institute (CSI). Power warns that this practice is extremely detrimental to the progress of online law enforcement and collection of data regarding hackers.
The Poneman institute says that although overall loss rose in all countries between 2013 and 2014, including a 9% hike in the U.S., there has been a decline in losses for companies who actively pursue best security practices and enable tested security technologies.
Scott Montgomery, chief technology officer at McAfee, recommends companies to become more data-centric and says businesses do not necessarily need to increase their security budgets in order to reduce hacking and its costs but reapportion them. He recommends hiring professionals that are highly skilled in coding and technology. Ironically, one of the only ways to beat hackers and shore up the losses they generate is to employ people who could be hackers themselves, because according to Montgomery, “There are not enough people who know what they are doing.”
Unfortunately for businesses around the world, the consequences of ignoring this growing problem comes with a multimillion-dollar price tag.