Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security and the 10 billion dollar strike
The eternal struggle
The race between good and evil always starts the same way. The bad guy runs, because he needs it to exist, and does one of his own, which causes the good guy to start running after him. In the cyber world, everything remains the same.
That cybercrime moves mountains of money is nothing new. We are not even surprised if we read an FBI report stating that these mountains can be greater than ten billion dollars. I'll put it in numbers, so we can see the magnitude: 10.000.000.000.
However, when we review certain studies on the state of cybersecurity in companies, we find that there is more fear of receiving a cyberattack than willingness to spend to prevent it. Although the figures are frightening, they can be confusing because they are approximate and because no one knows what part of the ten billion dollar pie their company will have to pay. Moreover, money is only the vehicle for standardizing losses. Underneath the money lie moral, reputational, physical, psychological damages....
How can we anticipate the impact of this race on companies and society?
Motivations are the important thing, or not
Today we have many tools, many initiatives, many paradigms, and designs with safety as the basis of their development... but the bad guy always comes back to run... and to win. To start the race again requires solid motivations:
- Hatred: evil exists.
- Revenge: typically an insider.
- Money.
- More money.
- A lot more money (this is usually the most common).
- Political motivations.
- "Hacktivism", although if we call it "cybercrime", "espionage" or "cyberterrorism", we also get it right.
In any case, whatever the motivation, the impact of a cyberattack on a company has a seismic effect. It spreads across the entire surface of the company and may even have aftershocks. The consequences, therefore, remain over time. What are they?
- Reputational cost: If your business ceases for an undetermined period of time, it is hard, but if your business takes a long time to return to pre-cyberattack figures, it is even harder.
- Material and immaterial cost (personnel, information, facilities...). This equals a lot of money.
- Potential victims (customers, patients, collateral damage): Companies are not beings. They are neither guilty, nor innocent, nor victims, nor executioners.... However, the people who work in them can be the victims in this case. And their customers as well. People related to an attacked entity may suffer moral damages, lose privacy, health, money... Some of these losses can never be recovered. Neither with insurance nor with compensation.
⚠️ Feelings and physical or psychological damage are more difficult to measure, which causes everything to be standardized with hard cash, even though there are unquantified but very real effects underneath.
The IT world
Information technologies were the first to be affected by the dangers of the cyber world. Also, perhaps, because they were the first to test the advantages that a connected world could offer. Let's imagine a situation that has to do with this area.
If a company, for example, in the health sector, suffers a cyberattack that reaches all the data of its patients, let's say, more than two million people, we have the following figures:
- Number of victims: 2,000,000.
- Reputational cost: Very high and recurrent. It is not only the headline. Every day that a victim remembers what happened or suffers a problem because of it, he/she will again lose confidence in the entity and experience pain of some kind, which reinforces this negative feeling.
- Material cost: of the attack, relatively little. But it is going to be difficult to keep the 28,000 employees you have if the reputational cost is high and people stop trusting you, not to mention fines and other costs derived from a cyberattack.
- Profit for the attacker: according to our studies, the type of information that moves in a hospital would not be less than 50€. Doing the math... more than €100,000,000. Not bad for a few days of work.
Is it a lot? Have we chosen a specific incident to make the numbers scary?
According to several specialized media and cybersecurity companies, the healthcare sector suffered, every week, more than 1,400 cyberattacks on average in 2022 (and in 2023 the figure is no better). Other media indicate that this activity has led to 327 information leaks and 40 million patients affected by them.
The source is from the industry itself: the Urology Times (big fan of the name). A quick count brings us up to $2,000,000,000,000 of direct (and tax-free, of course) profit.
It is true that it may happen that the stolen information is "only" names and surnames, which leads to a lower value of the loot, but, surely, there will be something more in a hospital. And it is not even the sector that receives the most attacks. The academic sector, where research is included, is the most interesting for cybercriminals because of how lucrative it is to steal intellectual property or to get paid just for delaying someone else's research (country, business, research group, etc.).
The industrial sector, on a terrible upswing
Airgap is long behind us. Legacy" protocols, services and devices are not. Our beloved bad guys have been in the race for a long time. Having spent a few years training and testing, the number of attacks has skyrocketed. Our threat capture and analysis system for OT environments, Aristeo, captured over 300 million events against your network in the first half of 2023.
The number of exposed devices continues to increase, and the vulnerabilities detected and exploitable continue to be "easy" to exploit. We implement security measures, but... "they" are always ahead of us.
If we look at the automotive sector, it is possible that a company dedicated to the manufacture of automobiles could suffer a data leak, similar to companies in the IT field, or a stoppage in its processes... or both... Why not?
If this happens, how many days does the recovery process take? How many vehicles may be affected? An attacker who leaves a single machine in the automotive manufacturing process unavailable can generate a loss of more than 20€ per minute on that machine for his victim.
Another thing to keep in mind: nowadays, the assembly line manufacturing industry usually has just enough material to continue its processes for a day (there are no large warehouses with millions of parts). Logistics is more complex than calling to pick up or deliver a package. We are talking about the fact that a stoppage in a small part of the chain seriously damages the rest of the process behind and ahead of it.
⚠️ Recovering a machine from a breakdown is not the same as recovering it after a cyber-attack. It is usually not as "simple" as replacing or fixing the machine, because that does not address the underlying vulnerabilities.
And how much is this in terms of money?
Well, the question should be: is it better to pay the attacker and assume the losses (surely in the millions) for the damage caused or is it better to invest a lower amount in cybersecurity measures that minimize the risk of suffering a mishap?
Stopping the manufacture of 13,000 vehicles, shutting down several plants globally, assuming fines and cost overruns for stopping logistics... all of that ends up being many more euros than what a company would spend on cybersecurity before suffering a cyberattack. Because after a cyberattack, of course, it's going to spend it too.
The race is not over. Cybercrime is becoming more profitable and more secure (for the attacker) every day. The data is there.
Should we run then? We must fly.
