It is not as easy as breaking open a porcelain piggy bank, but stealing money in 2019 offers a greater reward.
Money is the shared goal of hackers with bad intentions, though their modus operandi differs. Cybercrime — defined by security breaches, malicious code, or internal threats — shapes how a company operates internally and how it is viewed by the public.
When security fails the price tag to fix it is hefty and it can signal corporate irresponsibility. Security practices have to change, whether that includes workforce buy-in, larger budgets, or new solutions like more automation.
"Humans are still the weakest link," according to Accenture's 2019 Cost of Cybercrime study of more than 2,600 senior leaders. Human error is often at fault for exposing private information or undermining internal security practices with insider attacks.
Employees are more detrimental to security than hackers.
Defining risk in terms of financial impact make the ears of nontechnical leaders perk up. Cybersecurity is the No. 1 external concern for CEOs, even CEOs in the financial industry rank it above the threat of another recession.
CIO Dive broke down Accenture's cost of cybercrime report over several years. Here are the most jarring numbers:
$13 million: The average cost of cybercrime for a company in 2018Cybercrime hit the banking and utility sectors the hardest; both industries faced an increase from 2017. In 2018, cybercrime cost the banking industry about $18 million and utilities about $17.8 million.
The public sector suffers the least financial burden of cybercrime, with an average cost of almost $8 million in 2018, according to the report.
However, when Atlanta was hit by hacker group SamSam nearly a year ago, the city's recovery costs were substantial. After the first month, the city coughed up $3 million and by June, the office of the CIO requested another $9.5 million.
The financial costs of a cyberattack are only the beginning. Attacks can leave enterprise systems damaged beyond repair, requiring a technology refresh outside a planned budget or buying cycle.
A technology refresh cycle is costly and laborious. While Atlanta's city employees were sharing a "single clunky personal laptop," after 2017's Nyetya attack Maersk performed a "herculean resilience." In 10 days the shipping company reinstalled more than 4,00 servers, 45,000 PCs and 2,500 applications. Most agree that Maersk's recovery was somewhat of an anomaly.
67%: The increased rate of security breaches over the last five yearsIn 2019, name some of the most historic data breaches, including Yahoo, Equifax and Marriott.
Companies scarred by their security flaws have shown they are cleaning up their acts. Some companies, like Home Depot, appoint a CISO after not having a formal security chief.
But between 2017 and 2018 there was about an 11% increase in the average number of security breaches alone, not including other modes of cyberattacks, according to Accenture.
Only about one-third of companies view security as a threat to business growth, yet companies and and nontechnical employees continue to introduce digital services to their environment, adding risk or compliance issues.
In light of a possible economic decline, it's tempting for companies to support investments that will yield quick returns while delaying expenditure on long-term projects. The additions of digital services demand a layer of security from development and beyond, or risk becoming the latest company to headline a breach story.
11%: The rise in malware-related costs from 2017 to 2018Malware is the most expensive cyberthreat for companies, totalling about $2.6 million in 2018.
Despite the shambles 2017's ransomware attacks left companies in, ransomware was almost the cheapest cybercrime, outranking just botnets. Ransomware cost under $700,000 for cybercrime in 2018.
The lingering concern for cyberattacks is how long a business must function without reliant systems. The interruption of business, lost information, revenue loss and equipment damage are the four primary "consequences" of cybercrime, but each come with their own price tag.
The most costly consequence is lost information, reaching nearly $6 million in 2018. By comparison, in 2015 lost information cost less than $3 million. The cost of business disruption reached about $4 million in 2018 compared to just $3 million in 2015.
The costs come down to how much companies spend to discover, investigate, contain and recover from cyberattacks. "After-the-fact activities" like offsetting business interruptions and losing customers are also included in expenditures.
Balancing the gap between the customer experience and digital security is a fine line for IT professionals to walk, especially when budget, staff, time and implementation efforts are weak. Still, the most interest lies in authentication and identity verification methods, like biometrics.
One last stat:The largest fine to date under the GDPR was $57 million.
Recovery from cybercrimes is expensive, but new regulations and fines will raise those costs.
With the emergence of stricter regulations regarding consumer privacy and data rights, companies have to be more diligent about managing information.
Google was on the receiving end of a "game changing" GDPR fine in February after regulators claimed the company failed to appropriately relay what data was collected, why it was processed, how long it was stored and how it sufficiently obtained consent from users.
Google has since begun the appeal process, claiming it created a GDPR-compliant consent process for personalized ads.
As California mounted its privacy laws last year, which go into effect on Jan. 1, 2020, the country is revving up for further regulations and therefore larger fines for data and security misconduct.
