Research findings are demonstrating just how prevalent and costly cyber attacks have become.
Coveware, a Connecticut-based firm that responds to ransomware attacks, recently reported in a blog post that the average payment by clients hit by an attack was $84,116 in the fourth quarter of 2019. That’s more than double what Coveware clients who were attacked paid on average in the third quarter to get their data released.
Ransomware incidents lasted an average of 16.2 days, according to Coveware.
Complaints to the FBI Internet Crime Complaint Center grew more than 62 percent between 2015 and 2019 to 467,361 cases reported to law enforcement globally. Associated losses in the same timeframe more than tripled to $3.5 billion.
Cumulatively from 2015 to 2019, the FBI received 1.7 million complaints about internet crimes that generated total losses of $10.2 billion.
In Michigan, the FBI recorded 2,029 internet crime complaints, ranking 17th among the states, for $13.4 million in losses, which ranked 21st.
The total cost to a company from the resulting business disruption and lost business, as well as responding to and managing a data breach, averaged $3.9 million globally, according to the 2019 Cost of a Data Breach Report from IBM and the Traverse City-based Ponemon Institute. The loss of business or sales resulting from a data breach was the biggest cost, averaging $1.4 million.
In the U.S., the average cost from a data breach was nearly $8.2 million across businesses of all sizes, the highest average in the world.
The larger the company, the larger the cost, according to IBM and the Ponemon Institute. Companies globally with 500 or fewer employees that suffered a breach recorded an average loss of $2.7 million. That grew to $5.1 million for businesses that employ 25,000 or more people.
The per-employee average costs globally hit small businesses harder. That ranged from a low of $204 for the largest employers, to $3,533 for companies with 500 to 1,000 employees.
“Thus, smaller organizations had higher costs relative to their size than larger organizations, and a breach could harm their ability to recover financially from the incident,” according to the IBM-Ponemon Institute report.
The IBM and Ponemon Institute report is based on interviews with more than 3,200 professionals at 507 organizations that experienced a breach between July 2018 and April 2019.
Phishing or some variation of phishing was by far the most prominent form of attack with more than 114,700 cases reported to law enforcement, according to the 2019 FBI report.
The FBI report also noted a growing use of attacks known as business email compromise (BEC) and email account compromise (EAC). Those are sophisticated scams targeting individuals and businesses for a transfer of funds or data.
Oftentimes, BEC/EAC attacks involve scammers spoofing the email account of a company executive. An unsuspecting employee receiving the email, believing the email to be legitimate, wires money as instructed or parts with sensitive information such as bank account numbers.
The FBI report said 2019 saw an increase in BEC/EAC attacks on business payroll accounts using spoof emails sent to HR or the payroll department. Overall in 2019, the FBI Internet Crime Complaint Center received 23,775 BEC/EAC complaints with adjusted losses of more than $1.7 billion.
Since 2013, BEC/EAC attacks have evolved from hacking or spoofing email accounts of chief executives or chief financial officers to compromising personal and vendor emails, requesting large amounts of gift cards, asking for W-2 form information and, lately, diverting payroll funds, according to the FBI.
IBM and the Ponemon Institute say those kinds of malicious data breaches are now the most common attack and the most expensive, costing companies an average of $4.4 million. Malicious or criminal attacks that were the root cause of a data breach accounted for 51 percent of all attacks in 2018-19, up from 42 percent six years earlier.
In US Signal Co. LLC’s recently released State of the Data Center report, nearly two in five survey respondents reported they had been affected by a ransomware attack in the last twelve months.
Discovering a breach can take “months or longer” in 56 percent of the cases Verizon analyzed for its 2019 Data Breach Investigations Report. The IBM-Ponemon Institute report put the time to identify and respond to a breach at 279 days.
Hacking and cyber attacks have become a lucrative business for those behind them, said Trevor Bidle, vice president of information security at US Signal.
“It’s very much a business enterprise,” Bidle said. “Until we can de-incentivize the bad actors, this is going to (continue) as a lucrative criminal enterprise.”