£1.2 trillion. That is what cyber-crime across the world cost in 2018, says ‘The Evil Internet Minute’, an the annual research report by RiskIQ. According to the report, the cost per minute was £2.3 million last year, up from £0.68 in 2017.
Attack tactics range from malvertising to phishing to supply chain attacks that target e-commerce, such as the Magecart hacks, with the total number increasing by 20 percent in 2018. Attack motives include monetary gain, large-scale reputational damage, political motivations, and espionage.
Every minute counts
"As the scale of the internet continues to proliferate, so does the threat landscape," said Lou Manousos, CEO of RiskIQ. Condensing the large number of attacks into the context of an 'internet minute' helps one understand the impact better, he added.
However, the number of malware attacks globally seems to be decreasing from the record-breaking 10.52 billion attacks in 2018, said another research report by SonicWall.
"Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion attacks, a 20 percent drop compared to the same time period last year," said the report
That was not the case when it came to IoT malware, noted the report.
"The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In 2017, SonicWall logged just 10.3 million IoT attacks. Last year, that number skyrocketed 215.7 percent to 32.7 million," the report said.
The first half of 2019 saw 13.5 million IoT attacks, up 55 percent from the first two quarters of last year, according to the report. "If the final six months of 2019 match the surge of 2018, it will be another record year for cyber-criminals’ use of IoT malware," it said.
The average cost per breach has gone up 12 percent in the past five years, to £3.14 million globally, said a study by the Ponemon Institute and IBM. The UK saw a 10.56 percent increase in the UK in the past year alone to £2.99 million on average
According to the IBM report, data breaches in the US are the most expensive, costing £6.6 million, or more than double the average for worldwide companies.
The average size of a data breach in the UK has increased 3.6 percent, with the per capita cost per lost/stolen record reaching £119.
"For the ninth year in a row, healthcare organisations had the highest cost of a breach – nearly US$ 6.5 million (£5.2 million) on average (over 60 percent more than other industries in the study)," the study said. NHS, still recovering from the WannaCry impact, remains highly vulnerable to cyber-attacks.
The numbers in the IBM report are modest, said Ilia Kolochenko, founder and CEO of ImmuniWeb.
"I think that true aggregated costs of a data breach are considerably higher than the numbers from this alarming report. It is often impossible to measure damages in a reliable and certain manner due to their ongoing effect and indirect nature," he said.
He observed that companies usually calculate immediate and direct losses alone, omitting possible legal costs and regulatory penalties that may take years to get into the accounting books.
Old bottle, new returns
Ransomware continues to fatten the pockets of cyber-criminals despite the overall decline in malware volume, noted the report.
"The most alarming ransomware data was sourced from the UK. After enjoying a 59 percent decline in ransomware in 2018, the region saw ransomware volume jump of 195 percent year-to-date for the first half of the year," it said.
Phishing is also on the rise, according to the RiskIQ report. Attackers are moving from forging mail to compromising legitimate email accounts. A weakness found in the Microsoft Excel allows hackers to drop and execute malware, making every user vulnerable. As usual, attackers prefer easy targets such as higher education sector that lack corporate-level security measures.
The age-old business email compromise (BEC) scammers are now snaring customers of their target companies by harvesting their details from aging reports -- schedules of accounts receivable --from collections personnel.
"The criminals behind this BEC scam are highly skilled in social engineering techniques. Not only did they send an email posing a the company's CEO, which increases the likelihood that employees would take action on the request, but they also didn’t ask for a payment straight out, which is fairly unusual for phishing campaigns," said Corin Imai, senior security advisor at DomainTools.
"Organisations continue to struggle to track the evolving patterns of cyberattacks — the shift to malware cocktails and evolving threat vectors — which makes it extremely difficult for them to defend themselves," said SonicWall pPresident and CEO Bill Conner.
SonicWall probe faced 74,360 ‘never-before-seen’ malware variants in the first half of 2019. "To be effective, companies must harness innovative technology,such as machine learning, to be proactive against constantly-changing attack strategies," he added.
Prioritising employee cyber-security training and investing in an efficient email filtering system is crucial for organisations, suggested Imai.
"There should be a collective effort to make criminal campaigns unsuccessful, which is what ultimately will disincentivise malicious actors from continuing to pursue them," he said.
"Modern companies collect incrementally more data on their clients thereby skyrocketing potential costs of a data breach," noted Kolochenko.
Penalties on BA, Equifax and Marriott show regulatory agencies becoming strict towards hacked companies. "In light of such unprecedented appetites by those authorities, it wouldn't be unreasonable to suggest that upcoming security incidents will cost tremendously more than they do today," he added.