Evolution of cybercrime and of the cost related to hacking

In its issue number 99, published in March 2013, Atlas Magazine dedicated a dossier to IT security. Recent events invite us to take stock of recent developments observed in the field and to update our data. We are, therefore, tackling this topic again that we will publish in two parts.

The second part that will be published in June will treat the insurance of cyber risks

IT hacker © Chiefhacker.harry, CC BY-SA 3.0

Nowadays, corporate business has become based on the intensive use of computer systems. Whole sections of the economy are heavily dependent on electronic data management and their transfer by the networks. These data, whose mass is increasing by 60% annually, are part of the intangible assets of companies, thus falling easy prey to cyber-attacks.

With the renewal of technologies, the proliferation and interconnection of information systems, threats keep evolving while gaps are being created. Today, the boundaries between professional and private devices are blurring. In addition, the outsourcing of data is now commonplace and it is estimated that over 30 billion is the number of machines that will be connected in the next decade. So many potential weaknesses to be exploited by hackers.

Globally, cybercrime has cost 110 billion USD to all companies in 2013, a cost that has prompted companies to gradually transfer this risk to insurance companies.

The evolution of computer attacks in terms of nature and number

According to a study conducted by Symantec, cyber-criminals plan their attacks rigorously. Corporate businesses are getting increasingly targeted because the information they hold are extremely valuable. Data breach is regarded as illicit source of enrichment.

The best organized cyber crooks do not settle with the outright contamination of networks anymore, but they prefer to break into systems through business partners. In 2014, the percentage of incidents attributed to service providers, consultants or subcontractors increased by 18% and 15% respectively.

Attacks are varied. They may consist of software updates. All hackers have to do is wait for the user to download the software to introduce a virus or Trojan. Other methods initially consist in triggering a basic attack as a diversion followed by a second more dangerous and targeted.

Sending emails remains another classic way to introduce malicious programs. Whereas before, thousands of e-mails were used by the hackers, today, only a few are sent. They are targeted, adapted to the persons selected (accounting department, secretariat, etc.). The opening of the e-mail or attachment causes the activation of the intrusion program.

Software piracy takes a new turn when it is intended to take control of networks or devices in order to ask for ransom. The technique of "cryptlockers" consists in placing lock software in the computer systems. A ransom of up to several tens of thousands of dollars is then required in return of unlocking the devices and the systems compromised.

Sabotage of industrial installations is another alternative. Stuxnet is the name of a computer program discovered in 2010 and which contaminated by propagation many industrial sites worldwide.

According to the British government, it takes an average of 200 days between the installation of a malware and its detection. This number is 173.5 days according to PricewaterhouseCoopers (PwC).

The number of cyber-attacks is steadily increasing. It is estimated that in 2013, 42 800 000 of such events took place, that is more than 117 000 per day, bringing the amount of data stolen to 740 000 000. According to Symantec, for the single year of 2014, five large companies out of six were victims of attacks around the world. The reported number of incidents has jumped by 48% in the same year.

The modelling company AIR Worldwide has tracked the number of cases of piracy reported across the world. The graph below confirms the sharp acceleration noted since 2013.

Number of piracy acts recorded worldwide

This trend has been confirmed by the survey conducted by PwC and published under the title: "The Global State of Information Security Survey 2015".
The survey covering 9700 companies revealed that the number of incidents is constantly increasing with an annual growth rate of 66% since 2009. This rate sharply grew up between 2013 and 2014.

Total detected incidents: 2009-2014

In millions USD Source: PwC: "The Global State of Information Security Survey 2015 "

Evolution of the perception of IT risk

The various polls published by PwC show that the perception of the risk of IT attack is constantly increasing. The percentage of respondents who believe that these risks are increasing rose from 39% in 2011 to 48% in 2014.

Source: PwC: The 2014 Global Economic Crime Survey"

Costs related to cyber-attacks

The costs of computer systems attacks may be substantial for companies. They include:

• Control costs of potentially affected computer systems,
• Costs of repair /viral decontamination and of possible reconstruction of data,
• Customer notification costs,
• Legal defense fees and penalties following court decisions,
• The penalties imposed by the legislator,
• Communication costs for crisis management.

The cost sustained for restoring lost data is comprised between 24 and 243 USD. Accumulated loss of data may turn out to be particularly onerous.

The average cyber-attack cost is estimated by PwC at 2.7 million USD in 2014, that is 34% more than in 2013. In 2013, the damage generated at the global level by cyber-attacks is estimated at 110 billion USD.

The number of companies having reported "cyber" claims exceeding 20 million USD jumped by 92% at the end of 2013.

The average cost per computer attack increases with the size of the company targeted. It is the companies whose turnover exceeds 1 billion USD that suffer the most serious financial consequences. The losses they incur per claim go in average from 3.9 million USD to 5.9 million USD between 2013 and 2014, that is a growth rate of 51% in one year. Conversely, average financial losses per attack are down between 2013 and 2014 for companies with a turnover of less than 100 million USD.

The average cost of a cyber-attack according to the company’s size: 2013-2014

Source: PwC "The Global State of Information Security Survey 2015"

Target countries

The United States is the country where cyber-attacks are most numerous, with almost 21% of the events reported there in 2014. It is estimated that 7% of American companies have lost 1 million USD or more as a result of cybercrime incidents in 2013.

Nearly 19% of businesses across the Atlantic claim to have suffered losses comprised between 50 000 and 1 million USD. This figure is only 8% at the global level.

The most cyber-attacked countries in 2014, in % of world total

* France is ranking 14 ^th worldwide Source: Symantec

Potentially exposed industries

Industries are not identically exposed to cybercrime. According to risk accumulation scenarios developed by Swiss Re, the banking sector is the most threatened, followed by medical centers and insurance.

Exposure estimate depends on factors affecting the probability of occurrence and severity of the attack.
These factors are:

• The dependence on third-party service providers for data storage (the Cloud being an aggravating element), transaction process (credit cards, online payments, etc.), the automated management (through computer programs),
• The quality of IT protection,
• The response plan to counter malicious incursions into computer systems,
• The type of data stored (financial, private, governmental, commercial, etc.).

The business sectors most exposed to cybercrime

The table below summarizes the exposure of the various economic sectors to cybercrime:

Source: Munich Re, Cyber resilience-The cyber risk challenge and the role of insurance-December 2014

Some examples of recent disasters

Target

In December 2013, Target, the third largest American retail chain was victim of a sharp attack of hackers. Seventy million customers had their personal information hacked, including their bank details. As a consequence, target's reputation took a serious blow.

This cyber-attack will cost the distributor about 1 billion USD (customer compensation, especially for the re-issued bank cards). This incident has cut the group’s profits in the fourth quarter of 2013 by 440 million USD. The CEO stepped down few months later.

In March 2015, a judge of Minnesota ordered Target to pay up to 10 million USD to customers who had sustained damage in this case.

eBay

© Denis Grgečić Valput, CC BY-SA 3.0

In May 2014, the US giant eBay was robbed of 140 million bank accounts belonging to customers: (names, email addresses, postal addresses, phone numbers, birth dates and passwords). Employee passwords were also stolen. eBay has to reassure its customers by confirming that no bank reference was stolen.

Sony Pictures

On 24 November 2014, hackers penetrated the computer systems of Sony Pictures at various sites of the company, including its headquarters in Los Angeles. Stolen data, including new films and confidential internal information (hundreds of thousands of documents including legal data, emails, marketing or strategic plans, salary details), were disclosed on general public download websites.

Orange

The French phone company Orange has undergone two cyber-attacks within a few months. In January and April 2014, millions of customers’ personal data was stolen. The cost of these incidents sustained by Orange is greater than 24 million EUR (29 million USD).

TV5 Monde

On 8 and 9 April 2015, the French channel TV5 Monde suffered a large-scale cyber-attack. The two servers for the broadcast of the video stream to the antenna could not function any longer. Broadcasting was interrupted. The claim amount is not yet known.

Ryanair

Airliner Ryanair has announced that hackers have stolen nearly 5 million USD after making a fraudulent electronic transfer passed via a Chinese bank.

According to the carrier, those funds should have been used to pay kerosene bills. This fraud was discovered on April 24, 2015.