Cyber Security: The true cost of cyberattacks

Bad for the business, bad for staff and bad for customers: cyberattacks are a real issue these days, but a multi-pronged strategy can dramatically lessen the risks, writes Jason Walsh

Edel Mee, managing director, IT Security People Picture: Aidan Sweeney

Barely a month goes by without a corporation hitting the headlines having suffered a cyberattack. Imagine, then, the number that don’t make the news: companies too small to get the page one treatment, those who simply haven’t reported what has happened or, worse still, those who don’t even know that they’ve been hacked.

Make no mistake: cyberattacks, which are now professionally organised by mafia-like gangs, are a threat to all businesses — and to the economy as a whole. Ransomware damages alone are predicted to cost the world economy $11.5 billion (about €10.32bn) in 2019.

Edel Mee, managing director at IT Security People Ltd in Co Clare, said some aspects of cybersecurity were not well understood.

“There are many hidden costs to cybercrime that are often overlooked,” she said.

There are two broad categories of cybercrime that businesses encounter: random attacks and targeted ones.

“There are many different methods of attack and the problem for IT security teams is that the exploits are evolving and changing all the time,” said Mee.

“Random attacks are the ones where the hacker churns out code to test against a block of IP addresses or sends spam with links to a wide variety of email addresses. These are opportunistic attacks. Targeted attacks are where they go after a specific company or user in a company,” she said.

Both types of attack can have a devastating effect on a company’s bottom line, and lost time is a major issue too.

“If a breach occurs, the hours lost by the company can be huge. A breach investigation impacts on everybody’s time,” said Mee.

This is backed up by recent analyses, including one from Accenture, which has reported that the average cost in terms of lost time arising from a malware attack is 50 days. Attacks can spread quickly and even an unsophisticated attack can destroy the reputation of a business that will already be beleaguered when investigating and containing the breach.

“You don’t want a situation whereby your company is sending emails to customers and suppliers and recipients are wondering if your emails are genuine. Following a breach there may be an undercurrent of mistrust surrounding your email messages,” said Mee.

Mee, who holds an MSc in Security and Digital Forensics, said there was more to cyberattacks than losses. Psychologically, they can be a real problem for staff and can have a serious impact on morale, she said.

“If money is lost because of a breach the person whose mailbox was targeted usually feels very guilty about what happened — and the fact that everyone and their mother is talking about it rubs salt into the wound,” she said.

Users often report feeling violated because someone has been in their mailbox for weeks, if not months, reading all of their messages. Mee said staff members needed to realise that they are not the cause of the breach.

“They have been manipulated in what is known as a social engineering attack,” she said.

“The attacker is exploiting human nature, our willingness to communicate, our willingness to help each other, they are leveraging the fact that we are all busy. They mark emails as urgent or make it look like our manager or boss is requesting or authorising the payment.”

The human is often called the weakest link in the IT security profile of an organisation, according to Mee. Our hardware and software IT security tools — firewalls, antivirus, encryption and so on — can be configured and tested, but our users can’t.

“We have different levels of knowledge, ability, willingness, stress levels, bad moods and allocation of time to deal with when we as IT people are trying to configure our humans. Add that to the fact that people don’t consider IT security the most riveting of subjects, and you have a difficult mix. The attackers know this, that is why many of the successful attacks start out using exploits that are often technically quite basic,” she said.

The answer, Mee said, is for organisations to help staff understand the dangers by training them to identify basic sources of attack. Other errors can compound attacks after the fact: when hit with a ransomware attack, paying up is one option — and some businesses and individuals take it, generally out of desperation. While it is understandable, Mee said that this is not a good idea.

“Some will, but they don’t know if the attacker will release the data. Will the attacker encrypt their files again because they have paid up once?” she asked.

Mee added that giving money to criminals in the hope that they would honour their word was not entirely logical. “How do you trust a hacker?” she said.