According to a report prepared by CSIS, the highest costs of cyber-attacks in terms of the percentage of national GDP are borne by middle-income countries. There are many signs indicating that Poland is one of these countries.
The costs of cyber-attacks are increasing each year. This is shown by the data included in the report “Economic Impact of Cybercrime – No Slowing Down”, prepared by the American think-tank Center for Strategic and International Studies (CSIS) in cooperation with the cyber security company McAffe, as well as the report entitled “Cost of Cyber Crime Study”, prepared by the Ponemon Institute in cooperation with the consulting company Accenture. The CSIS report focuses on the estimates of global costs of cyber-crime, while the annual Ponemon report primarily shows the average costs related to cyber-attacks that are incurred by companies from various sectors of the economy. The report was developed on the basis of interviews with the representatives of 254 companies employing at least 1,000 FTE (with an average of 8,500 FTE) from the seven most developed countries.
The authors of the CSIS report estimate that in 2016 the total global costs of cyber-attacks amounted to between USD445-608bn. This second figure is equivalent to 0.8 per cent of the global GDP in 2016. Two years earlier, the estimates presented by CSIS pointed to the amount of USD345-445bn (0.62 per cent of GDP from 2014).
The cost of cyber-attacks account for about 1/3 of the cost of international crime or those related to counterfeiting and piracy, which are estimated by the Global Financial Integrity and the World Trade Organization, respectively, at USD1.6-2.2 trillion and USD1.8 trillion annually. For comparison, the total costs of last year’s Atlantic hurricanes, such as Irma or Harvey, are estimated at USD300bn.
In the CSIS report showing estimates for 2014, the authors predicted that the costs of cyber-attacks would stabilize in the following years. In the report published in February 2018, with data for 2016, they admit that they were overly optimistic and they are indicating an increase in the attacks in the very title of the report. Zurich Insurance predicts that in 2030 the costs of cyber-attacks will amount to USD1.2 trillion, which will be equivalent to 0.9 per cent of the global GDP.
In mid-2017 the Lloyd’s insurance company, together with the company Cyence, which specializes in risk modeling, estimated the average total cost of a potential large-scale global cyber-attack, carried out through the computing cloud of a large provider of such services, the effects of which would be removed over a period of 2.5-3 days. In their opinion, the costs of such an event could reach up to USD121.4bn, of which USD16.7bn would fall on the financial sector. This estimated total cost is equivalent to 1/9 of the global GDP in 2016.
The same report contains an estimate that a massive attack using a previously unknown software security flaw (a so-called zero-day attack) on companies in the United States, Canada and the European Union with revenues exceeding USD20m, could cost them USD28.7bn dollars in an extreme case.
Last year’s losses were probably higher than those calculated for 2016, if only due to the two large ransomware attacks (i.e. attacks where malicious software encrypts computers and demands a ransom for unlocking them) named WannaCry and NotPetya. Hundreds of thousands of computers in dozens of countries were infected by each of them. As a result, the attacks paralyzed many companies, including those operating globally, and public institutions around the world.
One of them was Maersk, the largest container shipping company in the world. Jim Hagemann Snabe, the head of the company’s supervisory board, estimated the costs associated with the replacement of 45,000 computers, 2,000 servers and 2,000 applications at USD250-300m. We should also include the lower revenues associated with the decline of up to 20 per cent in the number of handled containers lasting several days. According to Cyence’s calculations, the NotPetya attack cost the economy USD850m.
The list of cybercrime events form the previous year also includes the successful attacks on Bitcoin exchanges, e.g. in South Korea and Slovenia, and the hacking of Equifax, one of the three largest American agencies preparing consumer credit reports. We should also mention the successful attack on the US Securities and Exchange Commission (SEC), as a result of which cybercriminals gained access to classified information from companies listed on the stock exchange.
As a result of the incident at the Equifax agency, data concerning 145.5 million Americans, 400,000 Brits and 19,000 Canadians were leaked. According to American media, data stolen from the agency – including e.g. social security numbers, tax identification numbers, driver’s license numbers along with the place and date of issue, dates of birth, passport numbers – will make it significantly easier for criminals to take out fraudulent loans, as well as to commit fraud related to tax refunds and the forgery of identity documents, e.g. for illegal immigrants.
This year, as a result of a hacking attack, JPY58bn (USD534m) were stolen from investors operating on the Coincheck crypto currency exchange in Japan. This was the largest theft of virtual currencies in history. The previous “record” – where JPY47bn was stolen – belonged to the Japanese bitcoin exchange Mt.Gox, whose security mechanisms were broken in 2014.
The financial sector is targeted by professionals
According to the authors of the report entitled “Economic Impact of Cybercrime”, the highest costs of cyber-attacks may have been incurred in East Asia and the Pacific Region. They were estimated at about USD200bn, or 0.89 per cent of the region’s GDP. In Europe and Central Asia these costs could reach up to USD180bn (up to 0.89 per cent of the GDP), while in North America they reached USD175bn (up to 0.87 per cent of the GDP). These three regions combined are responsible for 83 per cent of the global GDP. In other regions, which are much less developed economically and technologically, the costs are clearly lower both in terms of absolute values as well as the percentage of the local GDP.
CSIS states that financial institutions have been the most common target of the most highly-skilled hackers for more than a decade. The institutions falling victim to such attacks include both commercial banks and insurance companies, as well as credit risk assessment institutions, central banks, and stock market and financial supervisory authorities. The goal of attacks is either to steal funds or to obtain information that can be used to make a profit.
The financial institutions are most often attacked by hackers from three countries: Russia, China and North Korea. The aim of the attacks originating from Russia and North Korea is primarily to steal money. Meanwhile, the attacks coming from China are mainly aimed at obtaining information.
According to experts in the field of cyber security, many attacks from these three countries are carried out by hackers working for the local governments. According to information obtained by media (e.g. “Fortune” and the “Washington Post”), the American and British secret services are convinced that the Russian military intelligence GRU was behind the NotPetya attack from June 2017, which began in Ukraine and which paralyzed many companies and government institutions in that country before spreading across the world. Meanwhile the American, British and Australian special services are blaming North Korean hackers for the WannaCry attack from May 2017.
The February 2016 attack on Bangladesh’s central bank was also probably carried out by North Korean government hackers. After breaking the security mechanisms in the bank’s IT system, the hackers attempted to steal nearly a billion dollars using the SWIFT infrastructure.
In the spring of last year The New York Times reported that according to all available evidence, North Korea also carried out a sophisticated attack – disclosed in February 2017 – on the Polish Financial Supervision Authority, whose internet service was used for the distribution of malware to 20 Polish and over 100 foreign banks. According to the newspaper, the potential targets of this attack included, among others, the central banks of Russia, Venezuela, Mexico, Chile and the Czech Republic.
Rising costs for companies
The Ponemon Institute and Accenture estimate that in 2017 the average annual costs incurred by companies in relation to cyber-attacks increased by 23 per cent, to USD11.7m. They also indicate that these costs increased by 62 per cent over the last five years. Meanwhile, in the last year the number of successful cyber-attacks carried out against companies increased by more than 27 per cent.
According to the authors of the report, among the companies from the most developed countries in the world, the highest average annual costs are borne by companies in the United States (over USD21.2m per year), while the lowest costs are borne by companies from Australia (USD5.4m).
The highest average annual costs of cyber-attacks are incurred by companies operating in the financial sector (the authors of the report estimate the average costs for that sector at USD18.3m per year) followed by companies operating in the municipal services and the energy sector (USD17.2m), as well as companies from the aerospace and defense industry (USD14.5m).
The report shows that the highest average costs of a single incident are associated with attacks carried out by current or former employees and that – which should not come as a surprise – the total annual costs increase along with the number of employees in the company. Importantly, the highest costs per one employee are recorded in the smallest companies (they are four times higher than in the case of very large corporations). In turn, in the last three years the increase in average annual costs was the highest in medium-sized and large enterprises where it amounted to 27 per cent and 52 per cent, respectively. During this time the average annual cost for small companies increased by 20 per cent, and the largest companies recorded an increase of 15 per cent.
During the last two years, the most common consequence of a cyber-attack was the loss of information. The second most common consequence is currently the disruption of business processes (reduced work efficiency, interruptions and disruptions at work, etc.), while the third most common consequence is the loss of revenue.
Cyber security in Poland
According to the authors of the CSIS report, the highest costs of cyber-attacks in terms of GDP are borne by middle-income countries where the digitization of the economy is already fairly advanced, but whose cyber security capabilities are not able to keep up with this development. There are many signs indicating that Poland is among these countries.
According to data of the Statistics Poland (GUS), almost every company employing 10 or more people uses computers, and over 93 per cent use the internet. The report entitled “The Polish cyber-roulette: Why are companies counting on good luck in the fight against cybercriminals”, prepared by PwC, shows that even though some 44 per cent of Polish companies surveyed for the purposes of the report suffered financial losses in 2017 as a result of cyber-attacks, with 62 per cent experiencing disruptions and downtimes resulting from such attacks, and 21 per cent falling victim of hard drive encryption through so-called ransomware attacks, as many as 20 per cent of medium-sized and large companies have no employees responsible for cybersecurity, 46 per cent of companies do not have operational procedures for responding to incidents related to cyber-attacks, and the cybersecurity expenditures amount to a mere 3 per cent of IT budgets on average. According to PwC, these expenditures should be at least three times higher. According to the authors of the report, only 8 per cent of the Polish companies surveyed “have implemented mature information security systems”.
As many as 28 per cent of respondents from medium-sized and large enterprises declare that they spend less than PLN50,000 per year on information security. Only 12 per cent of the survey participants indicated information security budgets higher than PLN1m. It should be emphasized that the declared values apply to all expenditures related to information security, from jobs to tools and training, state the authors of the PwC report.