Corporate cybercrime costs global businesses in all markets and all industries billions of dollars every year. And that’s just the corporate hacking that we know about – there’s plenty that we don’t hear about because of their sensitivity.
Billions Each Year
The Center for Strategic and International Studies (CSIS) estimates that corporate hacking costs the global economy as “little” as $375 billion and as much as $575 billion annually.
The costliest corporate hacking comes in the form of leaks from insiders and web-based tactics such as denial of service (DoS) attacks – bombarding a company’s website with traffic to overload the servers hosting the website and shut it down.
Total costs include direct losses to the cybercriminals and the costs associated with defending against and recovering from cyber attacks.
All markets and industries are reporting cybercrimes, although certain industries are getting hit harder than others. According to CNNMoney, the energy and financial services sectors are losing the most – an annual average of $12.8 million for energy and $13.5 million for financial services, in the U.S. alone.
Cleanup and Brand Damage
A large portion of these figures comes from opportunity losses and the costs associated with cleaning up the mess after an attack.
Cleaning up cybercrime is expensive. The cost to individual companies of recovery from cyberfraud or data breaches is increasing. While criminals will not be able to monetize all the information they steal, the victim has to spend as if they could use all the stolen data. The aggregate cost for recovery is greater than the gain to cybercriminals.
One study of the cost of cybercrime for Italy found that while the actual losses were only $875 million, the recovery and opportunity costs reached $8.5 billion. The bill for recovery costs is where the real damage to society begins, and the effect on a business can include damage to brand and other reputational losses and harm to customer relations and retention.
For example, Home Depot’s stock dropped 2.4 percent after cybercriminals stole 56 million payment card numbers and 53 million email addresses in September 2014, according to Bloomberg.
Also, Sony’s stock fell 1.1 percent in November 2014 after cybercriminals exposed employee records, including salaries, as well as some sensitive emails among Hollywood executives. And Anthem’s stock dropped 1.1 percent in February 2015 after cybercriminals stole social security numbers, email addresses and physical addresses.
The Ones We Don’t Know About
Not every company that gets hacked is big enough to get a headline in the financial pages or tech wires, and, more significantly, not every company has to publicize a corporate cybercrime attack.
Corporate cybercrimes that the Department of Homeland Security (DHS) deem strategically sensitive don’t make the statistics. These are the attacks on U.S. infrastructure and the corporations that serve a function in that infrastructure.
According to an investigation by CNNMoney, there’s a lid over attacks on things like dams, natural gas pipelines and public utilities.
Although dozens take place every year, the public doesn’t hear about them (actually, neither do regulators who make safety regulations or the computer engineering educators training the young minds that will do battle against hackers in the future).
What we do get is public records of the penalties levied against companies when they let their security lapse:
There was the power company that didn’t bother to turn of communication channels on its gear at mini-stations along the electrical grid, leaving access points completely open to hackers. It was fined $425,000.
Another power company forgot to patch software on 66 percent of its devices, thus exposing them to known flaws exploited by hackers. It got a $70,000 fine.
Corporate cybercrime is an industry on the rise. Every year, hackers get more sophisticated and the damage they inflict gets costlier.
These aren’t the simple, fumbling attacks they used to be. They’re sophisticated, complex schemes that incorporate digital hacking, social engineering and phishing.
Their multi-tiered approach requires a multi-tiered defense. For example, it’s often the social engineering part that gets you. Which means educating company personnel has become an important part of defending against cybercrime.
– Kirk Porter, President of Avitus Technologies
According to research firm Juniper, the more digital we get as a society – in our private lives and in our records held in business databases – the more corporate hacking will grow. Juniper estimates that, by 2019, data breaches will cost $2.1 trillion worldwide.
Juniper reports that attacks on mobile devices and the Internet of Things (IoT) will grow somewhat, but most hacks will still occur against existing IT and network infrastructures.
Billions Lost, Billions More to Come
By all accounts, corporate hacking is costing global companies billions of dollars every year, all over the globe and in all types of industries.
And it’s just getting started. The more we digitize as a society, the more vulnerable we become. And the more sophisticated and prolific the corporate cybercrime industry becomes as well.