Hacking the World – Part 4: The Cost and Future of Hacking (Plus: Safety Tips)
Each week in October, as part of Cybersecurity Awareness Month, we’ll publish an article packed with facts and stats, to give you an in-depth look at the state of cybersecurity in today’s world. We’ll start with the basics, then cover vulnerabilities, risks, costs – and much more.
We finish our four-part Hacking the World serie with two key questions: how much does hacking cost the world at large, and what’s coming up next? We’ll cover some of the biggest, costliest data breaches and then take a peek at what the future holds for hacking. To round out your read, we’ve also compiled a few basic cybersecurity tips, to help keep you cybersafe.
Before looking ahead, a reminder that we’ve covered the basics, what’s being hacked (with Covid updates), and the who and where of hacking. For a refresher of key hacking terms and definitions, read our helpful cybersecurity glossary from Part 1.
Jump to a section below, or read on:
The Cost of a Breach
Data breaches cost time and money. Lots of it.
In addition to covering the immediate damages of a cyberattack, companies must pay out compensation and data protection fines, all while investing in cybersecurity systems. The downtime and consequently lost business of a breach add substantial costs too.
The Growing Cost of Cybercrime
The monetary damages of cybercrime are already sky-high and they’re only heading in one direction.
More and more, businesses are turning to digital solutions. Expect cyberattacks to advance in complexity and regularity as companies pursue fresh web-based systems and cybersecurity departments play catch-up.
Top 10 Costliest Breaches
It’s only right that we take a look at some of the most financially devastating breaches of all time.
The costliest breach on this list is Equifax, though, when we dig into the numbers, data breach costs can be somewhat of a grey area.
Sometimes costs are not completely disclosed or are not entirely calculable. Experts predicted that Epilson’s data breach could reach a whopping $4 billion, for example, while the Marriott breach may have cost closer to $1 billion considering the potential loss of future business.
A (dis)honorable mention has to go to the US Veterans Administration, which leaked data for 26.5 million US veterans. Damages are thought to range anywhere from $100 million to $500 million.
How Much Does a Data Breach Cost?
Data breaches have maintained a fairly consistent cost since 2014. Breaches cost companies, on average, $3.86 million per data breach in 2020. That’s slightly less than in 2019, which cost an average of $3.92 million per breach.
Meanwhile, the average cost per stolen record was $150 in 2020.
Breaches Have Longtail Costs
Organizations are not just dealing with the economic fallout of breaches within months of the attack. Numerous factors at play mean costs can span for the next three years.
Immediate damages, such as the costs of lost data and system downtime, can be paid in the first year of a breach.
Businesses can feel certain impacts long after the breach is closed, however. Reputational damages and lost customers, in particular, can affect a company well into the third year after a breach.
The Cost of Lost Business
Lost business accounts for 40% of the average company’s breach-related expenses ($1.52m). This includes incurred losses from business disruptions, system downtime, and reputational damages.
Detecting and investigating data leaks costs around 29% ($1.11m) of overall costs and post-incident response, such as data protection fines and legal damages, accounts for 25.6% ($0.99m) of data breach costs.
Notification involves liaisons with regulators, data subjects, and third parties. Notification costs just $240,000 per breach — 6.2% of overall costs.
The high costs of detection & escalation and lost business indicate that acting fast is an important step in reducing breach costs. Time is money. In fact, IBM found that breach lifecycles under 200 days cost businesses, on average, $1 million less than longer breaches.
Malicious PII is the Costliest Data
Data breaches cost more money when bad actors are to blame. IBM found that malicious breaches cost target organizations $1 million more than your average data breach. Nation-state attackers were the costliest actors and stolen credentials were the costliest root cause.
Malicious breaches are more damaging for companies because they are targeted — tailored to specifically exploit an organization’s systems, processes, or personnel. This leads to bigger breaches, more sensitive leaked data, higher subsequent levels of cybercrime, and more expensive fines and lawsuits.
Malicious breaches also take longer to identify and contain than other root causes: 315 days, as opposed to 244 days (system glitch) or 239 days (human error). This means there are greater incurred costs from system downtime.
Breach Cost: Expensive Industries
The healthcare industry suffers the costliest breaches of any sector. Healthcare organizations have a generally poor level of security to protect high-value medical records.
This results in big data breaches which have significant damages, both for the organization itself and the victims of the breach.
Healthcare breaches cost $7.13 million on average in 2020, nearly twice the global average.
The energy sector ($6.29 million) and the financial sector ($5.85 million) also face big damages from breaches. Accenture notes that financial companies take the biggest economic hit from all types of cybercrime at $18.3 million per company surveyed.
Media, hospitality, and research companies are less regulated than the aforementioned sectors. Public sector organizations do not lose “customers” after a breach. As such, public organizations have the lowest breach costs.
Mega Breaches: An Expensive Trend
The rise of big data, personalization, and data analytics means big corporations are collecting more of your data than ever before. This requires huge servers to store all of your credentials and personal information.
Hackers will, inevitably, target big data stores given their bounty of valuable information.
Mega breaches are defined as breaches that expose at least 1 million records. Breaches that expose more records cost organizations higher sums of money. The cost of a mega breach is on an upward trend as well.
To be clear, mega breaches are the costliest data breaches. Mega breaches exposing 50+ million records cost an average of $392 million in 2020. That’s a 12% growth since 2018.
The Biggest GDPR Fines
The EU’s General Data Protection Regulation (GDPR) laws are recognized as the toughest data protection laws in the world. GDPR dishes out some of the biggest fines, too, and this can add significant costs to a data breach.
GDPR will fine a company that is deemed to have mishandled the data of EU citizens.
GDPR can act outside of its jurisdiction where EU citizens are concerned. The max fine for a GDPR breach is €20 million or 4% of the breached company’s annual turnover (whichever is greater).
GDPR fines have reached up to €50 million. Even without a fine, preparing for GDPR can be expensive. 88% of businesses spend over $1 million when trying to meet GDPR standards.
How Compliant Are Companies?
Where other privacy regulations focus on sanctions and punishments for poor data protection, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are more concerned with compliance.
These regulations demand a long list of specific data-handling standards and practices. The GDPR covers any organization that trades with EU citizens and came into effect in 2018. The CCPA, which is inspired by GDPR, covers entities in California and was initiated in 2020.
Organizations must pay to reach compliance, while failure to do so could cost businesses in more ways than one.
The Cost of Compliance: GDPR
The GDPR requires businesses to spend significant sums of money to introduce and maintain satisfactory data-handling practices, systems, and technologies.
On average, companies around the world are spending well over $1 million to reach compliance with GDPR. In the United States, a huge portion of companies are going above and beyond to secure user data with an outlay of $10+ million on GDPR.
The Cost of Compliance: CCPA
California state-sanctioned research outlines the estimated average cost of CCPA compliance. The study assumes that around 75% of companies based in California are subject to the CCPA.
Californian businesses will collectively spend $55 billion to reach initial compliance with the CCPA. That’s equal to roughly 1.8% of the region’s Gross State Product in 2018.
The direct compliance costs over the next decade (2020-2030) will be significant for CA organizations, collectively reaching anywhere from $467 million to $16.5 billion, according to the report.
The Cost of Compliance Failures
Compliance failures cost businesses a lot of money.
Compliance failures increase the average cost of a data breach. In fact, compliance failures were the biggest cost amplifying factor in IBM’s study.
Organizations must shoulder the blame for compliance failures. A failure to properly secure data often leads to bigger, more impactful data breaches, larger fines, and additional sanctions. All of which increases breach costs.
Cybersecurity Spending Per Sector
Across all sectors, companies spent 0.48% of their revenue on cybersecurity in 2020, up from 0.34% in 2019.
That equates to 10.9% of each business’ IT budget, a 0.8% increase from the 10.1% of IT budget allocated in 2019, or $2,691 per employee in 2020 vs. $2,337 per employee in 2019.
According to ESG Master, 47% of organizations have planned to increase their cybersecurity spend again in 2021. The upward trend in cybersecurity spending comes as companies attempt to quell the intense wave of cyberattacks following the outbreak of COVID-19.
Top Cybersecurity Investments
Total cybersecurity spending surpassed $123 billion in 2020. Organizations are primarily investing in infrastructure protection ($17.5 million), network security equipment ($11.7 million), and identity access management ($10.4 million).
There are, of course, companies that neglect cybersecurity spending. Usually these are smaller businesses with smaller budgets. 54% of small businesses do not have a cybersecurity response plan in place. Unsurprisingly, 65% of small businesses fail to react to cybersecurity incidents.
Data suggests companies of all sizes need to invest more in risk assessments, too. A measly 57% of businesses carried out a data security risk assessment in 2020.
Cyber insurance Reduces Costs
Cyber insurance is a developing field that aims to help businesses cover the expense of suffering a data leak.
Primarily, cyber insurance claims compensate for consulting and legal costs. Restitution payments are paid for 36% of businesses, and regulatory fines are covered for roughly one-third of organizations.
The Cybersecurity Gap: SMBs Pay the Price With Data
There is a clear gap between the cybersecurity posture of security leaders and non-leaders. Leaders are often bigger businesses with more resources, while SMBs usually fall into the latter category.
What’s more, leaders can mitigate the impact of cyberattacks far better than non-leaders, reducing the amount of data loss and subsequent breach costs. That’s despite facing a higher volume of cyberattacks.
So, how are non-leaders paying for a lack of maturity in their cybersecurity strategies?
With data, of course. Just 15% of cybersecurity leaders had lost more than 500,000 customer records from cyberattacks in the year preceding Accenture’s survey. On the other hand, 44% of non-leaders had 500,000 records or more exposed over the same period.
Security Leadership Reduces Costs
A Chief Information Security Officer (CISO) is an executive who’s responsible for the establishment, maintenance, and management of an organization’s cybersecurity strategy. A Chief Security Officer (CSO) oversees the security of all aspects (personnel, physical assets, and data).
These executive-level security pros are integral to an organization’s cybersecurity team. In IBM’s survey, 46% of experts believe the CISO is the “most responsible” person for any data breach.
A great security executive can provide the leadership necessary to elevate a company’s strategy and lessen the impact of a breach. According to Gartner, 40% of companies will have a dedicated cybersecurity committee that’s supervised by a board member in 2025—that figure is 10% today.
Leaders Sustain Existing Tech
Cybersecurity leaders are allocating their security budgets tactfully, across piloting and scaling new technologies, with a focus on sustaining current security solutions.
The data suggests that great security is not just about buying up the latest tech as it becomes available. Non-leaders focus their spending on trialing new technologies. However, leaders master the basics and consolidate what they have—part of the reason these departments are so successful.
Cost Difference: Leaders vs. the Rest
Non-leaders stand to save a ton of money should they implement better investments and procedures in their security departments.
That’s because their security solutions are failing them: provoking a higher chance of successful breach followed by a lackluster breach response.
We mentioned how non-leaders pay for their cybersecurity shortcomings with data. This means non-leaders experience regulatory actions more often than security leaders (19% of non-leaders vs. 13% of leaders). Non-leaders are more likely to face fines, too, compared to security leaders (19% of non-leaders vs. 9% of leaders).
With better data handling comes fewer fines and monetary remediations. That’s why non-leaders could save nearly $300,000 per breach by improving their cybersecurity.
The Future of Hacking and Cybersecurity
Let’s explore the cybersecurity forecasts for the future. We’ll look at spending, expected threats and vulnerabilities, and the technology of tomorrow, today.
Cybersecurity Set for Exponential Growth
The cybersecurity market will reach an eye-watering $430 billion by 2030 at its forecasted annual growth rate of 9.1%.
Almost every company has massively increased its cybersecurity spend in 2020 & 2021 to deal with record levels of cyber activity.
Expect this to continue as we move into the digital age. Hacks will increase in severity and sophistication; Cybersecurity Ventures predicts cybercrime damages could reach $6 trillion by the end of 2021. Cybersecurity teams must keep up to protect customer data.
Digital Transformation Presents Some Issues
For many organizations, events of the previous two years have accelerated their “digital transformations.” That is, their adoption of new technologies and processes to develop business practices and cybersecurity posture.
In IBM’s study, organizations that failed to implement any kind of digital transformation were left behind, incurring 17% higher average costs per data breach. That being said, the majority of organizations aren’t able to secure their new systems quickly enough. An issue that could present a multitude of entry points to hackers.
Data Breaches Will Become Less Damaging
A number of emerging IT technologies, many of them utilizing AI, are contributing to a general reduction in the damages caused by cyberattacks. This is expected, as cybersecurity departments become more sophisticated.
A VMware survey of Chief Information Security Officers (CISOs) found that 98% of businesses use, or plan to use, a cloud-first cybersecurity strategy. Dedicated “SOCs” (security operations centers) are predicted to become more common as well. The SOC market will grow at 28.6% every year until 2025.
To be clear, these technologies are already playing their part. Despite record levels of cyber activity, 66% fewer US citizens were impacted by data breaches in 2020 than in 2019.
AI & Automation Is the Future
Artificial intelligence, automation, and machine learning are, of course, the cream of emerging cybersecurity technologies. These systems vastly improve an organization’s ability to detect and respond to a data breach through the use of AI.
According to Nominet, 75% of CISO’s believe that AI will reduce the amount of stress they experience at work. AI technologies can detect new threats and shift with changing hacking trends—an important trait given the fast-paced nature of today’s cybersecurity landscape.
Hybrid-Cloud Will Dominate
The hybrid cloud model is a type of cloud storage solution that has quickly risen to become a prominent method for organizations.
Hybrid cloud is made up of physical, on-premises infrastructure, private cloud, and public cloud services. Hybrid cloud combines the security of on-premises storage solutions with the ease and data visibility of using cloud storage.
That’s why more and more organizations are converting to this method and seeing results. IBM found that hybrid cloud saves organizations $1.2 million per breach compared to public-cloud-only companies, and $940,000 per breach compared to businesses using private cloud.
Companies Will Scale Encryption
Encryption should be an essential part of an organization’s data security strategy.
Businesses have adopted encryption with increasing regularity over the last few years, though, still, just 50% of businesses consistently use encryption across all of their applications.
The future will see every business encrypt its data consistently. Why? Because encryption works. By making data unreadable to hackers, encryption reduces the impact of a data breach.
IBM’s study found that encryption was the third biggest cost mitigating factor in a data breach. Companies with high standard encryption pay, on average, $1.25 million less per breach than those with low standard encryption.
How Does Future Tech Rank?
Cybersecurity leaders ranked prevalent and emerging security technologies alongside one another based on each option’s ability to provide specific benefits.
SOAR technology covers all aspects of security, from detection, management, and response to security automation. SOAR ranked highest for helping businesses detect threats while reducing risk and subsequent costs.
AI also ranked well for mitigating breach impact and providing an effective response. New technologies are overwhelmingly effective. 86% of security leaders say that new cybersecurity tools expand the scope of their organization’s cybersecurity coverage.
Is Security Technology Spending Unsustainable?
At its current rate, the vast sums of money organizations spend on emerging cybersecurity technologies, tools, and systems are not sustainable.
60% of organizations have experienced a cost increase of 25% or less across all 17 components listed. Another 23% of businesses have seen more than a 25% increase in costs.
New technologies can sometimes fail for organizations that are struggling to stay ahead of the curve. Accenture reveals that 69% of organizations find outpacing hackers is a constant fight with an unsustainable financial outlay.
Ransomware attacks and DDoS attacks will become more frequent in the future. In fact, ransomware is the fastest-growing type of cybercrime. One ransomware cyberattack occurs every 11 seconds in 2021.
Experian predicts some future targets that could be vulnerable to hacks. Cloud vendors are expected to be targeted, while biometric scanners could also be a valuable source of data for cybercriminals moving forward.
IoT could become an even bigger problem area, too. Over 40 billion devices will be connected to the IoT by 2025. Given IoT’s well-documented vulnerabilities, hackers will continue to exploit these devices until they contain adequate cybersecurity.
Three Future Hacks and Vulnerabilities
There are several prominent areas of concern as we look towards the future of hacking.
Supply chains and business ecosystems will see a continued rise in cyberattacks. Business ecosystems are constantly expanding in size and complexity. This increases the attack surface of a business and makes life more difficult for CISO’s. According to Accenture, 83% of organizations believe they need to secure entire ecosystems, not just their own business, to be effective.
Businesses are becoming more interdependent, too, as they share popular supply chains which pervade across multiple industries. Large-scale networks of services, applications and devices can therefore be hyperconnected.
Hyperconnectivity means an attack that exploits multiple businesses at once is becoming more likely. This could be a hack that exploits loads of IoT devices, like smart TVs, or every business that uses a certain web service.
Finally, critical infrastructure attacks are becoming increasingly prevalent. We’ve seen several nation-state led attacks on US infrastructure this year. Critical industries are a valuable target that can cause major disruption if disabled. For example, the US pipeline attacks led to fuel shortages in some parts of America.
Critical industries are shockingly vulnerable too. Four-in-ten ICS systems, which are used in manufacturing and utility companies, are susceptible to attack. Expect cybercriminals, nation-states, and even cyberterrorists to exploit critical infrastructures in the future.
Safety Tips for Preventing Cyberattacks
A few tips to reduce your own chances of exposure to cyberthreats and data breaches.
Install Cybersecurity Software
First things first, download an antivirus and antimalware software if you haven’t done so already. There are plenty of free options and most of them include protection for viruses and malware. So there are no excuses, device protection is essential!
You should consider getting a VPN too. VPNs encrypt your web traffic to establish a secure connection to the internet. This makes for safer web browsing and file sharing.
Update Device Software
You need to update the software on computers or devices you use regularly. Manufacturers often patch any vulnerabilities in software updates. Installing updates can, therefore, massively reduce your chances of suffering a device hack or back-door access attack.
Only Download Files From Trusted Sources
Any web link on a website, email, message, or internet source of any kind could contain malware. In which case, you need to be absolutely certain that the link comes from a trusted domain or person before you click.
Create Rock-Solid Passwords
Over-simplistic passwords are a big no-no. They’re super easy for cybercriminals to hack and could easily provide access to your sensitive data.
You should create solid passwords made up of upper and lowercase letters, numbers, and symbols. Avoid common words or phrases, these can be hacked in a brute-force attack!
Make sure you have a different password for each of your accounts too. That way, should one of your accounts be (unfortunately) compromised, hackers won’t be able to authenticate themselves across every other account you own.
Monitor for Data Leaks
Keep tabs on the brands you use and regularly monitor the status of your data/accounts. It’s impossible to completely mitigate the risk of suffering exposure, but a quick response is the best response. You can change your account credentials if worried about a known breach or prevent further damages if you’re a victim of fraud.
The Bottom Line
The bottom line is: Your data is under threat. Hackers and cybercriminals are in a race to collect as much data as possible, whether they are motivated by money, political affiliations, or any of the other causes we’ve highlighted in this four-part series.
The rise in big data and the ever-growing adoption of digital technologies have facilitated a massive increase in cybercriminal activity. But fear not. While hackers enjoy their most prolific period to date, cybersecurity shows every sign of catching up. Meanwhile, implementing a few of the above-mentioned cybersecurity practices will stand you in good stead as we head into a new age.
Have you read all parts of our Hacking the World series? Catch up below to be fully versed on all things hacking: