In a recent episode of Darknet Diaries, host Jack Rhysider is joined by a threat intelligence...
The Economic Impact of Cyber Attacks
The Economic Impact of Cyber Attacks
How Negligent Cybersecurity Policy Affects Companies
Drawing from the saying that a stitch in time saves nine, here is the story of a company that suffered a debilitating cyber attack due to hubris and negligence. The engineering firm, located in New York City, was hit by a ransomware attack when an employee innocently opened an email that infected all of the critical files on the firm's servers.
Within a few hours of this unfortunate occurrence, all 90 employees were stopped in their tracks from a production standpoint. Operations came to a screeching halt, and so did pending and incoming revenue. As if these were not enough, the cyber attack also rendered all of the firm's design files—which equated to twenty years of hard work—useless.
No need to mention that the economic and psychological impacts of a cyber attack can be devastating, as it is a well-known fact. The cyber attack had an immediate adverse effect on the firm's current multi-million dollar projects. Not only did the firm's building construction projects stop, but connections with potential clients were also lost. For every day of the period when the attack lasted, the firm lost $50,000. These, all together, led to irreparable damage to the reputation of the firm which would hamper its ability to win future contracts.
While it is normal that you sympathize with this firm over this untold hardship, you are definitely going to blame its management after knowing some of the firm's sensitive decisions in regard to the protection of its data before the cyber attack.
How Leadership Failed to Understand the Importance of Cybersecurity
A team of IT experts had earlier approached the firm to help improve its cybersecurity for a moderate fee but the firm's management turned down the offer for different reasons including the cost of the deal. But if the firm had had an idea of what was imminent, it wouldn't hesitate to pay twice the fee proposed by the IT team to help tighten its cybersecurity.
Apart from the loss of revenue, client confidence levels were dropping rapidly. Current contracts were in jeopardy of being breached and their ability to deliver was at a standstill. Eventually, it was the same IT team whose offer was turned down that led the firm on the journey of recovering the data, though it did not come on a silver platter.
The Difficulties of Recovering From a Cyber Attack
The tech team went into disaster recovery mode and checked the local backups, only to discover that the hackers had deleted them. With 10 Terabytes of data involved, restoration would take weeks from the offsite cloud backup. Hence, the firm decided to pay the ransom of $10,000 demanded by the hackers to unlock the files, as that was the quickest option available for the firm to get back on its feet and become operational again.
As part of the process to pay the ransom, a bitcoin account had to be set up. Thus, a Google search was made to hire a bitcoin broker quickly to fast-track the transaction. After exchanging emails and texts, the exchange was made, and they waited for the bitcoin funds to hit their digital wallet but it never did. The bitcoin broker duped them for $10,000. This just added insult to injury.
With very few choices, they were forced to find another bitcoin broker. This time they were a bit more selective. By this time, it was 3 AM on Saturday, and all parties involved were, to say the least, restless. Luckily this time, the funds hit, and the ransom was paid. The unlock key was received, and the IT team rushed to a computer to free the files.
They followed the instructions to enter the key and launch the decryptor. As they waited with bated breath, nothing was happening. The decryptor would crash upon each launch. It wasn't working, and the files weren't unlocking. The owner of the firm erupts into a volcano of rage, spewing expletives into the air. Having just lost $20,000, he sweeps his arm across his desk, clearing it of all objects.
Resorting to cloud backup restore, it took two weeks to get the data back. The cyber attack resulted in a $500,000 loss in revenue, clients seeking retribution for their losses, and an indeterminable amount of damage to their reputation. The owners decided to revisit the cybersecurity proposal presented six months earlier and implement the recommendations to improve their security posture. You could see the pen slightly bow as the owner signed the agreement, venting his frustration through the ballpoint, nearly tearing the paper.
Why This Example of Cyber Attack Matters
The point of the story about the New York engineering firm is to illustrate the danger of cyber attacks. We’ll now discuss what cyber attack is, why cyber attack is a problem/threat, its effects on businesses, and why now is the ideal time to protect your data from the attack.
What is a Cyber Attack and Why is it a Problem?
In simple terms, a cyber attack is an assault launched by cybercriminals using one or more computers against single or multiple computers or networks. There are many ways hackers achieve this. One popular method is through the use of botnets. Botnets are comprised of a network of computers that have been compromised and placed under the mothership's control. The mothership is operated by the cybercriminal, which in turn manipulates the child botnets.
Next, the criminal will issue commands to the computers to carry out their attacks. Commands could be to have your computers send out emails, infect other devices or perform a slew of other nefarious activities. Once this happens, you've lost control of your computers and most likely will not realize it.
Stealing from bank accounts is another common use for botnets. Malware on infected machines will wait for the victim to connect to their bank account. Then wait and allow the victim to authenticate. Subsequently, the bot will take over the connection and inject its own bank transfer commands into the system. To cover their tracks, criminals will hide those transactions from the victim when they look at their balance. You can't trust what you see on the screen, as cybercriminals work to ensure that you only see what they want you to see.
Another method of delivery is through malicious email. It is estimated that one in every 300 emails contains malware. However, even if you are really careful opening emails, there are other vulnerabilities. It’s akin to a game of whack-a-mole.
Yet another cybersecurity attack method is hacking social media accounts. Criminals will hack social networking accounts, and seed malicious links to bad URLs, infecting those who click and visit that site. This is called a drive-by install. It even enables hackers to harvest your account details and divert your money to their own untraceable digital wallets.
Lastly, cybercriminals also make use of denial-of-service (DDoS) attacks. Similar to a mafia protection racket, Denial of service attacks are used to disrupt the transactions of target companies, usually those with a high level of online activity. Cybercriminals will threaten to prevent a company from using its website for its purposes or even take it down for some time unless they are paid.
If the company refuses to pay them, then criminals send a command to their botnets to start flooding the company website with requests. Typical payments are between $10,000 and $50,000. This means that cyber attacks pose a great threat to the safety of companies' money, privacy, and data. A cyber attack is, therefore, a common enemy to all companies, and it is a problem that must be prevented.
Economic Effects of Cyber Attacks on Businesses
With faster Internet speeds and more businesses leveraging the Internet for operations, cyber attacks directly affect every business in one way or the other. As the population of companies increases, the threat of a cybersecurity breach grows, and the damage that it will cause is exponential.
Today, all companies rely on technology. Due to this, companies need to make cybersecurity a top priority, but most don't. Many organizations operate on outdated network infrastructures, vulnerable software, and a fundamental lack of security.
Since the task of protecting our networks from hackers is one of the significant challenges that we will face over the next few decades, if not longer, a cyber attack stands to be one of the biggest problems of any business in the world. When a company falls victim to an adverse cyber event, it may face a variety of losses, ranging from those that are easy to observe and quantify to those that are not. Listed below are some real possibilities.
- Loss of IP
- Loss of strategic information
- Increased cost of capital
- Reputational damage
- Loss of data and equipment
- Loss of revenue
- Cybersecurity improvements
- Bad PR
- Customer protection
- Regulatory penalties
- Court settlements & fees
- Breach notifications
The effect of adverse cyber events on small and medium-sized businesses usually leads to premature fold-up. IP theft could wipe out the firm’s entire livelihood. Similarly, a business disruption that lasts several days could cause customers to abandon a small firm permanently. Finally, the fixed costs of dealing with a breach or attack, such as the cost of cybersecurity improvements and legal fees, would represent a larger fraction of a small firm’s operating budget.
In light of this, every business has to take necessary preventive measures to avoid being attacked. No business is free from the possible scourge of cyber attacks, as hackers target any industry they can profit from. A 2021 survey of small business owners found that 42% of all small businesses had fallen victim to a cyber attack within the previous year, yet more than a quarter of small businesses have yet to institute any precautionary cybersecurity measures.
Small and medium-sized businesses are at a high risk of being attacked by ransomware, which renders a firm’s files inaccessible until a ransom is paid. They are also prone to attacks that exploit weaknesses in email systems in order to trick firms into transferring large sums of money into the perpetrators’ bank accounts.
According to another report, an adverse cyber event costs the victim company over $7,000 on average. For small businesses whose business banking accounts were hacked, the average loss was $32,000. For the median company in the same study, in terms of revenues, these numbers represent, respectively, 0.28 percent and 1.28 percent of firm revenue. Although these are fairly low numbers, events are typically underreported, and the firms in the survey likely only quantify immediate and easily observable losses.
How Business Owners Can Protect Against Cyber Attacks
Did you know that cybercrime is a 1.5 trillion-dollar industry? Many people are shocked to learn that cybercrime is, in fact, an industry, but this is simply a sad truth of contemporary reality. Cybercrime is a big business, and the business is good for hackers. Hackers invest a lot of time and effort into different activities that help them map out efficient strategies for hijacking your data due to this reason.
The implication of this, thus, is that you equally have to strive to protect your data from cyber attacks if you do not want to bear the consequences discussed above. Different protective measures that can help you keep your files safe against all forms of cyber attack are discussed below.
Defense in Depth is a concept used in Information Security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited so as to cover aspects of personnel, procedural, technical, and physical security for the duration of the system's life cycle. Being a layering tactic, the idea behind the defense-in-depth approach is to defend a system against any particular attack, using several independent methods. Defense in depth can be divided into three areas: Physical, Technical, and Administrative.
- Physical Controls: Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, CCTV systems, and the like belong to this category.
- Technical Controls: Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.
- Administrative Controls: Administrative controls are an organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.
Furthermore, the onus of cybersecurity responsibility falls on the shoulders of an organization’s management who have to ensure that the proper safeguards are in place. This is a daunting task, especially when attacks are coming from every direction, but it is a responsibility one must bear. Vulnerabilities include mobile devices, PCs, servers, cloud applications, email, websites, control systems (IoT), and, last but not least, humans.
Unfortunately, there’s no magic bullet. Defense in depth is the best strategy, and it is achieved through a layered approach. A multitude of tools must be utilized to mitigate threats from multiple attack vectors. Refer to this list of safeguards that should be on your radar.
- Security Assessment: It's important to establish a baseline and close existing vulnerabilities. When was your last assessment? Get a certified cybersecurity professional to do this on a routine basis.
- Email Security: Secure your email with enhanced security features like email filtering, block email fraud, URL validation, and attachment scanning. Basic antispam is not enough.
- Password Security: Apply security policies on your network. Examples: Deny or limit USB file storage access, enable enhanced password policies, set user screen timeouts, and limit user access.
- Security Awareness Training: Utilize services to train your users - often! Teach them about data security, email attacks, and your policies and procedures. The HUMAN FIREWALL is one of your biggest weak spots.
- Advanced Endpoint Security: Protect your computers and data from malware, viruses, and cyber-attacks with advanced endpoint security. Regular Antivirus will no longer suffice. Today's latest technology can even roll back a ransomware attack.
- Dark Web Research: Utilize a Dark Web scanning service. Knowing in real-time what passwords and accounts have been exposed on the Dark Web will allow you to be proactive in preventing a data breach.
- SIEM (Security Incident & Event Management): Use a SIEM product to collect logs from machines and network devices, review data, correlate data with threat intelligence feeds, and deliver actionable intelligence to thwart attacks.
- Web Security: Internet security is a race against time. Use web security products to detect threats as they emerge on the internet and block them within seconds—before they reach the user.
- Encryption: Enable hard drive encryption and encrypted file systems whenever possible. The goal is to encrypt files at rest, in motion (think file transfer), and especially on laptops.
- Backup and Disaster Recovery: Backup local and offsite to the cloud. Include in your DR plan a way to spin up servers and access data in the event of a disaster. It's imperative that you test backups periodically.
It’s Time to Prioritize Cybersecurity
In summary, the impact of a cyber attack on a business can be very devastating. Revenue is one of many concerns, including reputation, investments, and the effects on your clients. At this point, it's very apparent that being attached to the internet can be very dangerous and the best approach is to strengthen your security posture. Taking the Defense in Depth mindset with a layered approach to security will afford a company the best chance at staying out of harm's way.
About CyberTeam and its CEO
This article was authored by CyberTeam CEO, Leonard Galati and originally appeared in the book, Adapt and Overcome: What Business Owners Need to Do to Keep Employees, Clients and Infrastructure Safe During a Time of Crisis.
Over the last 30 years, Leonard Galati has gone from defending our nation as a US Marine to protecting global businesses as the CEO of CyberTeam, a private IT & CyberSecurity firm. His zeal for network security led him into the world of information technology after 9 years of active service as a Marine. In order to help as many organizations as possible to protect their data from cyber attacks, he launched CyberTeam in 1998, serving the tri-state New York area. As a CISSP (Certified Information Systems Security Professional), he has been running cybersecurity programs for his clients with an unwavering dedication to his craft.
Leonard Galati conforms to best practices, and the NIST framework has been his standard. Through his vCIO consultations and programs, clients have benefited greatly and, as result, steer clear of cyber attacks. His wealth of experience as the CEO of CyberTeam has made him an expert regarding the dangers of cyber attacks. For recommendations on solutions to help mitigate the risk posed by the inherently dangerous nature of the internet, you can contact Leonard Galati and his team.