Interview: Analyzing the Hidden Costs of Cybercrime

It’s little secret that the financial impact of cyber-attacks is significant and growing. The UK government’s Cyber Security Breaches Survey 2022, published earlier this week, found that the average estimated cost of cyber-attacks on medium and large companies was £19,400 in the past 12 months. In addition, with ransomware attacks surging, organizations are being hit with increasingly high extortion demands.

Yet, such ‘up front’ costs are often a fraction of the overall long-term damage that high-profile incidents can cause to organizations. To discuss this issue in more detail and actions organizations can take to mitigate the impact of successful cyber-attacks, Infosecurity recently caught up with Kelvin Murray, senior threat researcher at Carbonite + Webroot.

A number of recent high-profile cyber-attacks have reportedly caused astronomical recovery costs, such as that of Gloucester City Council. Is this a trend you have observed more generally, and if so, why? 

The tactic of cyber-criminals going after large targets for big pay-outs is generally referred to as ‘big game hunting.’ We have noticed this has been increasing over the past five years or so, especially when it comes to ransomware. The groups behind these attacks are usually very professional and often have political sponsorship or protection, which allows them to work without the fear of extradition that would usually come with attacking the government or other key industry targets. These groups are the ‘rock stars’ of their field of cybercrime, and they have highly developed malware and criminal infrastructures. They usually use this underworld fame to rent out parts of their criminal systems to lower-level criminals in the form of ‘crime-as-a-service.’ 

What are the hidden financial costs of successful cyber-attacks? 

The hidden costs of cyber-attacks can be astronomical. With ransomware attacks, for example, we find the hidden or additional costs of the attack amount to much more than the cost of the ransom itself, which is why so many choose to pay. Hidden costs include operational costs (loss of time), brand and reputational damage, data loss costs and heavy hits in the way of insurance premiums. 

The further ransomware spreads, the longer it takes to mitigate. Every infected device requires additional man-hours. Sent emails and attachments with malicious content multiply the work involved exponentially. A ransomware infection caught early may only need a few man-hours to remediate in best-case scenarios – but it can often spread rapidly across large sections of the business.

In our recent study, 46% of businesses that experienced ransomware said their clients were also impacted, and 38% said the attack harmed their brand or reputation. Also, once an organization has been breached, the likelihood of being breached again is very high. For example, one report claimed that 80% of ransom victims are repeat victims. 

Kelvin Murray, senior threat researcher, Carbonite + Webroot
Kelvin Murray, senior threat researcher, Carbonite + Webroot

How extensive can the long-term financial damage of brand reputation loss be to organizations? Do you think this is an element that is often underestimated by businesses? 

In the news, we have seen how the best and most prepared companies react to a breach or hack. I think what matters most from a PR standpoint are the steps taken after a breach and the openness and honesty in any communication with stakeholders or the public. If your customers’ data has been stolen in a breach, you must inform them fully as this data can and will be used in further attacks. The same would apply to partners, clients and other stakeholders – as cyber-criminals love to pivot from one target to the next to maximize profit. Companies like Norsk Hydro have inspired the world with their positive reaction to an attack that cost them over $70m in damages, so these moments can be an opportunity to improve security and your image at the same time.

We’ve also seen how organizations can underestimate the cost of cyberattacks. For example, the attack on Gloucester City Council impacted a large amount of its business, including online revenue and benefits, planning and customer services. The council has already gathered £630,000 of funds to assist in recovering their IT systems, but opposition councilors fear the final cost could be in the millions of pounds. Council chiefs also revealed they didn’t have insurance to cover the attack – an element that all large organizations should consider, as it will help lessen the financial blow if the worst happens. 

What measures should organizations put in place to reduce the costs and damage caused by a successful attack? 

There are some hi-tech attacks, but the number one cause of breaches is user error. Therefore, security awareness training is where I would draw the first line of defense, and studies have shown that testing your staff with simulated attacks is a great way to keep everyone on their toes. Secondly, AV with real-time URL detection is essential, as well as a comprehensive backup solution.

When it comes to potential ransom payments in the case of a ransomware attack, it’s important to note that organizations such as the FBI do not support paying a ransom to cyber-criminals. According to them, paying a ransom emboldens the adversary to target other organizations for profit and provides a lucrative environment for other criminals to become involved. Besides, it does not guarantee that an organization will regain access to its data. Instead, organizations should focus on having backups in place to execute recoveries that keep the business running in the event of unforeseen and unpredictable cyber events.

What’s Hot on Infosecurity Magazine?