With the advent of digitization in the business world, companies will undoubtedly be a victim of a cyber attack at some point in their lifespan. Loopholes and gaps in weak cybersecurity networks allow perpetrators to extract sensitive or proprietary data for various malicious endeavors. Furthermore, a cyber attack can have rippling effects leading to more, albeit delayed, consequences. A cyber attack can inhibit daily business operations, but can also trigger unnecessary monetary costs. Usually from disgruntled customers or fines incurred from violating information security regulations.
Why Do Cyber Attacks Occur?
A cyber attack happens when there is a compromise on the confidentiality, integrity and availability of data. It can manifest in many different ways not limited to DDoS (Distributed Denial of Service), phishing of private information, and the deployment of Malicious Software (Malware) such as viruses or trojans. On May 28, 2020 ––in a single day, there were 49,127,689 cyber attacks worldwide recorded on the Live Cyber Attack Threat Map which equates to 568 cyber attacks occurring every second!
Key International Cyber Attacks in 2019
With every passing year, cybercrime worsens. In 2019, there were some of the biggest cyber attacks.
In March 2019, Capital One suffered which is considered to be one of the largest financial institution hacks. A lone hacker managed to access Capital One's secure network, accessing more than 100 million customer accounts, more than 100,000 Social Security numbers, 80,000 bank accounts and several addresses, credit scores and balances.
In May 2019, news aggregation website Flipboard experienced two cyber attacks — the first was identified in March 2019 and the second one in April 2019. Flipboard estimates that the data breach could have impacted almost 150m users and the databases that have been compromised hold account credentials including actual names, usernames, cryptographically protected passwords and email addresses.
No doubt, this casts a spotlight yet again on the importance of having reliable cyber security network to protect personal data.
Key APAC Cyber Attacks in 2019
Asia Pacific (APAC) is equally as vulnerable––or even more vulnerable––to cyber attacks on all scales. In part, this is due to the rapidly growing connectivity and digital transformation of APAC, which presents the ideal environment for cyber criminals to thrive.
In March 2019, Toyota revealed that unauthorized access had been detected on a server storing information on 3.1 million customers. The data that was exposed included names, addresses, dates of birth, occupation and other information of its customers.
In December 2019, personal data of 2,400 Singapore’s Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) staff may have been leaked through e-mail phishing by malicious malware. The breach occurred when a privately owned vendor of SAF and Mindef, ST Logistics had email phishing activities sent to its employees' e-mail accounts.
Do Businesses in APAC Need to Worry?
Businesses large and small need to establish a tight cybersecurity network in order to stand a chance of survival. In fact, research shows that 70% of attacks that occur are targeted at SMEs. According to Garrett, in the US, there had been an overall sharp increase in cyber attacks through methods such as ransomware attacks, business email compromise (BCE) attacks and spear-phishing attacks in companies in 2018. Based on Hiscox, 47% of SMEs had experienced at least one cyber attack in a single year and of those, 44% experienced two to four attacks.
Additionally, a 2018 report written by the Cyber Security Agency of Singapore notes that as more businesses go digital, business email impersonation scams are expected to grow in tandem. The Singapore Police Force observed 378 business email impersonation scams in 2018, up from 332 cases in 2017. In total, businesses in Singapore suffered losses of close to S$58 million in 2018, an increase of about 31 per cent from 2017.
The reports on cyber attacks in APAC illustrate that APAC companies are not safe from malicious cyber attacks and there is an ever-pressing need for companies to strengthen their security network.
Business Risks and Costs of Cyber Attacks
A cyber attack not only compromises the security of a company’s cyber network, but also creates undesirable consequences on its business function.
Tangible impacts are the immediate and measurable outcomes such as monetary costs. Based on the U.S. Securities and Exchange Commission, the average cost of a data breach rose from $4.9 million in 2017 to $7.5 million in 2018. In Asia Pacific alone, a Microsoft and Frost & Sullivan estimated that the potential economic loss can hit US$1.745 trillion, which is more than 7% of the region’s total GDP of US$24.33 trillion. A simple comparison by Hiscox shows that the average cost of cyber security incidents in a year for SMEs costs a minimum of US$34,606 while that figure estimates at a minimum of US$1.05 million for large organizations. Apart from the tangible impacts, companies also suffer intangible costs — the less measurable effects —such as the loss of corporate reputation or consumers’ trust in a company. This is portrayed in the case of Facebook earlier where there was a loss of trust in users following the abuse of personal data. In fact, high-profile Facebook users instigated campaigns to encourage users to delete their accounts. Such business impacts are inevitable and can have a lasting effect on a company if the cyber issues are not resolved quickly.
As such, it is paramount that organizations adopt preventive measures and pay sufficient attention to their security posture. According to a 2017 report done by Ponemon Institute, not only do companies with stronger cyber security posture respond faster to a data breach, these companies also reportedly experience smaller degrees of business risks, as the average decline in their stock price is no more than 3% compared to a 5% immediate decline faced by companies with weaker cyber security posture. Apart from this, organizations should also note that such risks increase with company size. In Asia Pacific alone, a large-sized organization can possibly incur an economic loss of US$30 million, more than 300 times higher than the average economic loss for a mid-sized organization (US$96,000).
Moving on to the direct and indirect costs of cyber attack, the main difference in these 2 types of costs is the ease of identification per the cost objects. Direct costs include financial losses and data losses. Financial losses can happen in the form of loss in productivity, occurrence of fines and remediation costs. Experts revealed that there will be an estimate of US$3.4 million direct monetary loss from cyber attacks in the APAC region (Microsoft Asia News Center, 2018). Indirectly, there will be an estimate of $9.7 million loss in opportunity cost for the company when hit by an attack that threatens the trust in customers and also the reputation of the company. Induced costs include the overflowing impact of cyber breach to the broader cyber ecosystem and economy in APAC region, such as the decrease in consumer and enterprise spending, which could lead to an estimated loss of $17.2 million.
With these costs in mind, you might think that companies will value cyber security and have a significant spending on this area. However, it is not always the case. ATKearney revealed that the global benchmark of cyber security spending in medium to large enterprises as a percentage of GDP in 2017 is 0.13%. APAC countries such as Singapore (0.22%) and Japan (0.21%) hover around this number, but not countries such as Malaysia (0.08%) and Indonesia (0.02%). With this in mind, in order for ASEAN countries to secure a sustained commitment to cyber security, 0.35–0.61% of their GDP should be spent on cyber security between the years of 2017-2025.
Building a Well-fortified Cybersecurity System
The above mentioned costs and risks proved the importance for companies to achieve a well-fortified cybersecurity system. Let us go over some of these measures and the various costs they constitute.
The average cost of a penetration test is between $4,000–$100,000 and the recommended testing regularity is once to twice a year. One of the reasons for this big range in pricing is due to the experience of the professionals. One big advantage of having highly skilled professionals conduct a penetration test is how they have experiences to build upon their investigation, something a specialized software often falls short.
Another method includes conducting a security audit, which ranges from several thousands to $20,000. A security audit will not only help to evaluate the company’s cyber security system, it also ensures compliance to regulations.
One last measure we will list is risk assessment. Risk assessment is essential for a company as it helps to lay out ground rules to protect data and also customize a risk model specific to the company’s needs.
With a number of different options available, how then should a company decide which measures to take? Here are some key points to note when choosing the best kind of products or vulnerability assessment measures.
Predicting Global Trends
Firstly, it is imperative to understand the common web vulnerabilities, as well as studying predictions in the markets surrounding cyber security issues. According to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, cyber attacks are the fastest growing global crime that are increasing in size, sophistication and cost. It has also been predicted that by 2021, cybercrime damages will cost $6 trillion per annum globally. To put this point into perspective, it will be critical to understand the possible threats the company might face and the severity of the damages that could result.
Another great way to ensure the company’s data is well protected is through awareness. It is vital to teach employees the importance of measures to safeguard data. This can be done through simple steps such as maintaining strong passwords and having multi-factor authentication for personal accounts. Horangi offers our Trainer product to help you raise cybersecurity awareness with your employees. Trainer’s customized cybersecurity modules are designed by leading security experts to drive disciplined cyber habits across the organization.
Constant Continuity in Assessment
Last but not least, regular cyber security assessments and reviews help to identify potential gaps in the security network. This is even more important when the company undergoes an update of systems or technology. During this process, there could be an oversight in the security system that allows attackers to launch an attack.
Originally written by QuanHeng Lim.