The impact of a cyberattack can be devastating if you are one of the organisations affected. The recent (May 2017) WannaCry ransomware attack saw organisations as diverse as the National Health Service (NHS) in the UK and international shipping firm FedEx breached, as well as computers in 150 countries across the globe.
WannaCry worked by infecting a system and encrypting files on that machine, before forcing the owner to pay the attacker a ransom in Bitcoins to receive the decryption key. Although the panic it caused was widespread, the actual damage caused was relatively low on this occasion, and CNBC revealed that the hackers behind WannaCry have only made $50,000 worth of bitcoin.
The other saving grace was that the data held by organisations was not stolen, arguably a much greater threat than ransomware. Not only is data theft easier to do, with more different approaches to try, but the consequences are greater. Once data has been stolen, the organisation it was stolen from can never recover complete control of that data again.
But cyberattack doesn’t just impact the organisations that get hacked, there are serious repercussions for the global economy too, and can cause billions of dollars in damage. The threat is even greater for heavily regulated industries such as financial services (FS). greater for regulated industries such as health care and financial services. Here are some stats that reveal the scale of the problem:
A major cyberattack may cost the global economy $53billion – this Lloyd’s of London prediction is based on the rise in the sheer volume and complexity of cyberattacks, and the report it comes from states that a serious cyberattack could cost the global economy as much as a devastating natural disaster.
Unique malware is on the rise – in 2016 Symantec identified 100 new malware families released into the wild, more than triple the amount seen previously. There was also 36% increase in ransomware attacks worldwide, while instances of stolen identities increased 23%. However, SonicWall CEO Bill Conner believes those figures are actually even higher, stating in an interview recently that in 2016 there were 638 million attacks, compared with 3.8 million in 2015.
Risk from inside the company – while instances of malicious intent from employees remain relatively small, occurrences of unauthorised use of third-party software without the knowledge of a firm’s IT department is becoming a major source of malware, and is on the rise. A recent IBM study showed that in FS, 5% of attacks come from malicious insiders, 53% from inadvertent actors (as outlined above) and 42% from outsiders.
IT Risk Is Now A Business Risk
So the impact of cyberattack has undoubted global implications, as well as for the individual organisation targeted. While one business cannot legislate for what every other business does (or does not do) to protect itself against attack, there is an element of collective responsibility. If everyone took the threat of cyberattack seriously, then its impact would be significantly reduced.
Part of the problem is that organisations still see cyberattack as an IT risk. Emphatically, it is not. The figures shown above highlight the fact that cyberattack is a business risk and should be treated as such. Any organisation that approaches cyber security as a business risk will not only benefit from a real-time and integrated view of all cyber security threats, offering a better level of security and performance, but will also contribute to the collective responsibility to protect the global economy. It’s an approach that makes perfect sense and one that many organisations are choosing.