The cost of cybercrime

  • The average cost of cybercrime to Australian businesses in 2019 was $36,295 – with some businesses having to fork out up to $250,000.
  • As cybercrime cases continue to dominate news headlines and cases keep growing, security experts warn it’s not an issue of ‘will an attack happen to me?’, rather ‘when will it happen?’
  • No business, big or small, is completely immune to cybercrime – emphasizing how important it is to ensure your business is taking security seriously, and implementing measures to prevent or ease the disruption if it did happen to you.

Imagine your business receiving an unexpected bill of $36,295 tomorrow.

That was the average cost paid to cyber extortionists by Aussie businesses at the start of 2019. And some payments were as high as $250,000.

It’s easy to adopt the ‘it won’t happen to me’ mentality but when it does happen, it can be extremely hard to come back from such a big financial hit.

Security in Depth CEO Michael Conoroy said “from phishing to ransomware, brute force attacks to attacks via third party suppliers, the issue has become – not if an attack will happen, rather when an attack will happen and how we can manage it.”

The numbers don’t lie.

Conoroy also said that more than 23,000 businesses in Australia experienced some form of a cyber incident in the first half of 2019, with numbers continuing to grow.

By 2022, the cost of cybercrime is expected to exceed 2019’s billion-dollar mark by a further 52%.

Breaking down cybercrime costs in Australia

The 2020 Allianz Risk Barometer reports that cybercrime ranks as the highest business concern globally. And with good reason: The World Economic Forum recently set out the average costs of cybercrime – and the numbers aren’t good.

Wait for clarification from Courtney for the graph.

Unfortunately, the immediate dollar costs you may be aware of are just the start of the overall damage to your business.

The internal vs external costs to your business

A well-cited study explains a framework for measuring the costs of cybercrime by breaking it down into two parts.

  1. Internal costs that help your business prevent or deter cybercrime from occuring. 
  2. External costs if a cybercrime did occur.

Let’s take a look in more detail.

Internal Costs

  • Detection: The costs associated with making sure your business is set up to detect and possibly deter cyber attacks. 
  • Investigation and escalation: When a potential threat is detected in advance, there are costs in making sure you have the resources to scope it out more.  
  • Containment: If the investigation discovers a threat, there are costs in making sure the threat doesn’t escalate. 
  • Recovery: Costs associated with repairing business infrastructure.
  • Ex-post response:  If you experience a cyberthreat of any kind, you’ll need funds to cover the implementation of other technologies to help prevent future attacks.

External Costs

  • Cost of information loss or theft of sensitive customer data: Not to mention, the cost of losing your customer’s trust which is hard to win back and will affect your bottom line. 
  • Cost of business disruption: Dealing with downtime or unplanned outages can prevent you from carrying out business-as-usual tasks. 
  • Cost of equipment damage: The costs associated to get systems and IT infrastructure back up and running including the cost of the equipment and paying the human resources to do it. 
  • Lost revenue: You risk losing customers and acquiring new ones because of system delays, downtime and the inability to keep up with normal sales and customer care operations.

Accenture’s security lead in Australia and New Zealand, Joseph Failla, was interviewed on the impact cybercrime has on Australian businesses.

He said “Australian businesses must understand where they can gain value in their cybersecurity efforts to improve their cyber resilience, minimising risk and even preventing future attacks.”

“The continued lack of investment in artificial intelligence, machine learning and automated technologies is concerning, especially as they represent the most value.”

Prevention is your best ally

If you open a shopfront, one of the first things you do is install a security system to alert of a break-in. That security system is then connected to a company with the tools and expertise to handle the crime.

So when it comes to your business’s network security – you should be installing high-quality programs that are highly sensitive to irregular activity.

But the reality is: only 17% of Australian businesses are prepared for a data breach.

Here are some steps to making sure you are implementing the right cybersecurity measures.

  1. Get the security basics right first.

Make sure you are implementing good general security best practice measures and educating your employees about them. Some of these include:

  • Using spam filters to reduce the amount of spam and phishing emails your business receives. 
  • Installing the right firewall security.
  • Encrypting your data when stored online with restricted access to approved users only.
  • Making sure your business devices are protected with strong passwords that are changed regularly.

2. Prioritise protecting your business from people-based attacks.

The 2018 State of Cyber security in Australia reported that 64.3% of all reported data breaches are related to human error inside the organisation. This includes sending personally identifiable information incorrectly via email and being vulnerable to phishing attacks.

Often, access to sensitive information such as log-in details comes via ‘phishing’ emails. These are fraudulent imitations of emails from respectable institutions such as banks, telecommunications, legal firms, or internet providers. They look and sound just like the real thing, and will usually ask for private details like birthdates or credit card numbers.

It is crucial that you take correct training measures to ensure your staff are on high alert for phishing emails – it’s often human error that allows cybercriminals to function.

3. Make sure you are meeting the highest standards for data protection.

If you receive and store credit card data or take payments online then you need to ensure your business is protecting that data. The best way to do this is by ensuring your business is PCI compliant – which you can learn more about what PCI is and why you should care.

This isn’t something you have to do alone.

One of the driving forces behind EWAY was to provide easy access to high-quality cybersecurity programs. Our program is called the Merchant Trust Initiative (MTI) and will give you the tools you need to improve security within your business, including guidance on how you can become PCI compliant.

Becoming PCI compliant isn’t just a regulation enforced by the PCI Security Standards Council or demonstrating to your customer’s that their data is safe. When you implement these measures in your business, you are making it harder for cybercriminals to find a way in. 

Looking at the potential costs a cyberattack can inflict on your business, is it really something you want to take a gamble on?