New research from Grant Thornton International Ltd reveals that cyber attacks are taking a serious toll on business, with the total cost of attacks globally estimated to be more than £200bn (at least US$315bn*) over the past 12 months. The UK government has classified cyber security as one of the four top threats to the UK, alongside natural disasters, international terrorism and military invasion. The Grant Thornton International Business Report (IBR), a global survey of 2,500 business leaders in 35 economies, reveals that more than one in six businesses surveyed faced a cyber attack in the past year. With high-profile security breaches and hacks becoming more prevalent, nearly half of firms are putting themselves in the firing line with no comprehensive strategy to prevent digital crime.
According to the IBR, 15% of businesses say they have faced a cyber attack in the past year. Businesses in the EU (19%) and North America (18%) have been most heavily targeted. However, no region has been immune. Regionally, cyber attacks are estimated to have cost Asia Pacific businesses $81bn in the past 12 months, while firms in the EU ($62bn) and North America ($61bn) are also counting the significant cost of attacks.
Further analysis of the results reveals that the average ‘successful’ cyber attack costs businesses 1.2% of revenues. But despite this risk, only just over half of firms surveyed (52%) said they currently have a cyber security strategy in place.
Manu Sharma, head of cyber security and resilience at Grant Thornton UK LLP, said: “Cyber attacks are an increasingly significant danger for business. Not just the costs in terms of financial penalties, but serious reputational damage and loss of customers and business can be inflicted if attacks undermine customer confidence. Despite this, some firms still lack a strategy to deal with cyber threat or even understand the risks to their organisation.
“Businesses cannot afford to be behind the curve on this threat. Cyber attacks can strike without warning and sometimes without the victim being immediately aware. The pressure from customers and clients cannot be ignored. In this digital age, rigorous security and privacy is expected. If this cannot be guaranteed the ultimate risk is they will simply go elsewhere.”
Grant Thornton’s research reveals that the sector most concerned by the threat of a cyber attack is financial services (74% of business say it is a threat) – this is also the sector with the joint-highest recorded instances of cybercrime (26%). At the other end of the spectrum, only 10% of transport firms globally have reported a cyber attack in the past 12 months and just 27% perceive it as a threat.
Where businesses are implementing cyber security strategies, the number-one driver cited is client/customer demand (44%). 42% of business have implemented a strategy because of an increased use of automation and other emerging technologies which could leave them exposed.
Manu Sharma added: “Many of the perpetrators of cyber attacks are sophisticated, heavily resourced criminal organisations or could be state sponsored. As the digitisation of business continues, it is vital that businesses take the cyber threat as seriously as the criminals attempting to attack them. Otherwise, cyber attacks will continue to escalate in frequency and scale.
“Vigilance alone won’t keep businesses safe. Proactive and detective measures are need to work together to minimise the threats. This is an issue which needs to be on the agenda in boardrooms as well as business departments. Management teams need to be driving cyber strategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat. Just as critically, clients and customers also need reassurance that effective controls are in place.”
“DDoS attacks alone could account for a substantial percentage of this number. Based on our research, attacks cost $40,000 per hour, and occur weekly on average, sometimes more,” said Marc Gaffan, GM for Incapsula at Imperva. “Just looking at ecommerce and online banking sites – around 110,000 worldwide – hit once per week, for a total downtime of five hours per year, that comes to $22 billion dollars, and could easily be higher if you consider longer attacks and other industries.”