Global losses due to cyber attacks have reached $1 trillion in 2020, or more than 1% of global GDP. These losses come from the theft of monetary assets and intellectual property, but also from hidden losses that are often overlooked. It is on this last aspect that McAfee has examined in a report in partnership with the Centre for Strategic and International Studies.
McAfee and the Center for Strategic and International Studies (CSIS), a US think tank, have published a new report on the hidden costs of cybercrime. Vanson Bourne was commissioned to survey 1,500 IT decision-makers and business leaders from all sectors in the US, France, Canada, the UK, Germany, Australia and Japan.
Two thirds of companies attacked
The findings are damning: two thirds of the companies surveyed suffered a cyber attack in 2020. As a result, global losses due to cyber attacks have increased by more than 50% compared to 2018 to reach more than $1 trillion. This astronomical amount represents more than 1% of global GDP.
The report took a close look at the hidden costs of cybercrime. Four main expenses stand out: system downtime, reduced efficiency, incident response costs and brand and reputation damage. Around two-thirds of companies surveyed report downtime caused by an IT attack. In 2019, the average cost of their longest period of downtime was $762,231.
This downtime has an impact on productivity as, on average, organisations lost 9 hours of work per week. The average business interruption was 18 hours. In detail, engineering departments suffered greater losses, averaging $965,000, in stark contrast to human resources departments, which suffered losses of approximately $89,000.
Damage to the company's reputation
Security incidents most often require external intervention, the cost of which represents a significant proportion of the costs for the organisations surveyed. In addition, respondents identified damage caused by damage to their company's image. 26% of people report brand damage due to service interruption caused by the cyber attack.
The report uses the example of the cyber attack that affected the pharmaceutical giant Merck in 2017. The losses from this attack could exceed $1 billion, according to McAfee. The NotPetya malware had spread to other parts of the pharmaceutical supply chain and caused delays in the delivery of medicines worldwide. In detail, $2.5 million was spent on external expertise, $115 million on security improvements and $31 million on consumer education.
An alarming lack of preparation
Beyond the ever-increasing costs, it is the lack of a prevention and action plan that is worrying. Indeed, 56% of respondents said they had no strategy for responding to a cyber attack. Of the 951 organisations that have a response plan, only 32% stated that the plan was effective.
Moreover, companies themselves admit to having gaps and 507 of the 1,332 respondents believe that a lack of user knowledge contributes to the success of cybercriminals targeting their organisations. One of the biggest challenges is the lack of understanding of cyber risk across the organisation, the report concludes.
No consistency in the tools used
Another problem is the lack of harmonisation of prevention tools. On average, companies use 47 different cybersecurity tools from 10 different vendors, the study reports. So even when different products and services are properly integrated, this lack of consistency forces "IT professionals to spend their time managing the interoperability of toolkits that were supposed to make their jobs easier," the report continues.
In response, McAfee recommends that companies implement basic security measures, standardise IT security requirements and train employees on cyber issues.