Cyber attacks against businesses, regardless of size, are increasing in the number of attacks, the types of attacks, and the costs of the attacks. Company losses include theft of cash assets, employee identity information, stolen files and proprietary information, network downtime, loss of sales, and reputation costs. For a small privately held business, a serious breach can put them out of business.
For large companies that experienced widely reported breaches (Equifax, Yahoo, Moller-Maersk and Anthem Healthcare) these events cost the companies millions of dollars in direct losses, loss of shareholder value, loss of reputation, and their CEOs and other high-level staff became “free to pursue other interests.”
In my personal experience, attacks against company websites that I manage are an ongoing, daily, automated deluge. Even with good website security, there are hundreds of attempts in an average day. Phishing emails constitute another daily attack vector, with the average business employee receiving 4 phishing emails a day.
A recent report by Radware put some frightening numbers around the trends. They surveyed 790 companies from around the globe and across a variety of industries and company sizes. Statistical information follows. Some of you will good math skills will notice that in many cases the values total more than 100%. This is an indication that some organizations experience more than one kind of breach or incident.
Motivation of the attacker
- Financial 51%
- Political 31%
- Unknown motive 31% – This number would indicate that the attack was not fully investigated
- Insider threat 27%
- Competition (Corporate espionage) 26%
- Angry users 18%
- Cyberwar 18%
- No cyber attacks in a year 2% – I tend to doubt it. They probably just didn’t notice it.
- Daily 21%
- Weekly 13%
- Monthly 13%
- Annually or semi annually 27%
- Never 7% – Again, I tend to doubt
- Unknown – 19% – Not looking for missed it.
Techniques and Tactics
- Bots and malware 76%
- Phishing and social engineering 65%
- DDoS (Denial of Service) 53%
- Web site and web app attacks 42%
- Ramsonware 38% (down from 59% the year before)
- Crypto-mining 20% (up from zero the year before)
- All Other 1%
Estimated Cost of Attack
- Small business under 1000 employees $450,000
- Mid-market business 1000 to 10,000 employees $1.1 million
- Large Corporations 10,000 or more employees $2.1 million
Costs to businesses may seem on the large side, but they include the direct costs for extra labor hours, forensic investigations, security audits, and network hardening. Indirect costs can include technical and security consultant fees, regulatory fines, customer compensation, law suits and settlements, increased insurance premiums, and stock price drops. There will be additional costs for remediation and prevention, including hardware and software solutions, and creating or updating an incident response plan.
My conclusion is this: If you think you are too small to be a target you are wrong. And if you think you have never been attacked, you are wrong. Many attacks, especially those known as “advanced persistent threats” (APT) are undetected and may go on for periods as long as two years. The smart play is to assume you are under attack and defend appropriately.