On May 29, 2009, President Barack Obamastated, “the cyber threat is one of the most serious economic and nationalsecurity challenges we face as a nation.”(Obama, 2009) Fast forward to 2016,and attacks on networks and computers systems, also referred to as a cyber attack,seem to be reported in the news almost weekly. Computers with access to the internet,or connected to a network, are in danger from hackers who are exploitingvulnerabilities in these systems. This isn’t just an issue for people withpersonal computers; businesses, both small and large, are being attacked on aregular basis. The rise of cyber attacks inthe private sector is leading to an increase in financial costs to businessesand the need for cyber security professionals.
This paper addresses the financialcost of cyber attacks to businesses in the global market, in addition to secondand third tier effects that are sometimes overlooked when analyzing the impactof cyber attacks. Finally, this paper will address the expected securityspending needed to combat cyber attacks, with an increase in cyber-security professionals. As the number of cyber attacks continue to rise, so doesthe costs associated with battling this threat. Cyber attacks in 2014 were up 40% from 2013, andfinancial services encountered 300% more security incidences than other sectors(Myles, Lee, Thomas, Meager, 2015). Tracey Caldwell, a freelance businesstechnology writer and editor of Biometric Technology Today, says there arethree main categories when it comes to cost that may be easier to understandthan thinking in terms of a monetary value. The first category is direct costs,which are usually associated with recovering after a cyber attack (Caldwell,2014).
According to a Dell Software security survey that covered governments, financial,education, healthcare, and retail, the global average cost of a single securitybreach due to cyber attacks is $917,884 (Caldwell, 2014). A security breach canoccur when an intruder exploits unpatched vulnerabilities in a companiessoftware, causing the program to crash or act in unexpected ways (Carlin,2016). Carlin notes that this can allowintruders to access information or find backdoors into other programs, whichcan then be used to install malware or similar malicious programs. Once theintruder has breached security and gained control over the system, even partialcontrol, information can be stolen or deleted before other computers aretargeted (Carlin, 2016). McAfee, a part of Intel Security, estimates that “thelikely annual cost to the global economy from cybercrime is more than $400billion with a conservative estimate of $375 billion in losses, while themaximum could be as much as $575 billion.” These estimates are larger than mostcountries gross domestic product (GDP), and if losses continue to grow, asexpected, employment rates can be affected; an estimated 200,000 American and150,000 European jobs could be affected due to changes in GDP caused bycybercrimes (McAfee, 2014).
Thesecond category Caldwell spoke of is fines and victim compensation (if accountinformation or personally identifiable information was stolen in the attack),and the most significant category being loss of business due to the damage ofreputation (Caldwell, 2014). These are considered the second and third ordereffects of a cyber attack. According to EmilyMossburg, a principal for Deloitte Advisory CyberRisk Services, the cost of cyber attacks isn’t always as straight forward asthe loss of currency, although, that plays a large part. She mentions cyber attacks performed against a companies,both small and large, can result in the loss of business if customers feeltheir personal information isn’t being safeguarded, the loss of intellectualproperty that may be giving them an edge in the market, and legal fees andlitigation that can have effects even years after an attack occurs (Mossburg,2015). A study by Deloitte identifies some cost factors that many companies areoften unprepared for (Mossburg, 2015).
Cyber attacks can trigger largerinvestigations that may lead to further security violations, thus incurringmore costs via fines and fix actions (Mossburg, 2015). Mossburg states, inaddition to fines and the costs to fix the vulnerabilities, companies may face highercyber insurance premiums, and may suffer a full-level downgrade in credit ratings,which in effect raises their interest rates and can add millions of dollars tothe cost of a project. Depending on the severity or timing of a cyber attack,the loss of customers can be the largest impact to a company, an example ofthis would be a retailer whose breach happened before a holiday shopping seasonor a company whose clients no longer believe their secrets can be kept safe(Caldwell, 2014). Companies reporting major attacks suffer a 1-5% drop in stockvalue, while some companies recover, others may lose everything (Kaul, 2015). Withcyber attacks on the rise, it makes sense for companies to want to invest inmore security in order to protect their assets.
A 2016 survey on IT securityspending trends, conducted by SANS (SysAdmin, Audit, Network and Security)institute,stated “security budgets and spending are on the rise, with much of thatspending going toward in-house skills to support application security, intelligenceand analytics, and data security, among other functions” (Filkins, 2016).According to the SANS survey that Filkins authored, the top three drivingfactors in security spending were aimed at protection of sensitive information,regulatory compliance, and reducing incidents and breaches. The percentage ofIT budget allotted for security spending show that the lowest range, 0%–3%, isshrinking over the three year period the survey took place, while budgets inthe range of 4%–6% and 10%–12%, have grown in 2015 and 2016 (Filkins, 2016).Filkins notes that the organizations size and industry they are in influencesthe budget for security spending; medium and large sized companies wereexpected to spend 7%-9% of their overall IT budget ($1M-$10M and $10M-$50Mrespectively) on security, with financial services spending the most in theprivate sector. Inaddition to the above mentioned increases in security spending, cyber attacksare leading to a potential boom in cyber insurance policies and the need forcyber security professionals. Right now, cybersecurity insurance policy premiumsare estimated at around $1.
5 billion globally with the US holding around $1billion of that (Kirkpatrick, 2015). The US is the leading market for cyberpolicies, likely due to privacy laws that have been enacted over the pastdecade, however, the market is expected to grow globally due to similar regulatorychanges being put in place throughout the world; these regulations, that areexpected to be ratified in 2017, should increase the number of cyber insurancepremiums in Europe, which currently accounts for less than 10% of the globalmarket (Kirkpatrick, 2015). When it comes to creating jobs, a 2016 study of theinternational shortage in cybersecurity skills conducted by McAfee, the globalcybersecurity workforce shortfall could be as high as one to two millionpositions that are unfilled by 2019 with no signs of the shortage going away. Eighty-twopercent of the companies responding to the McAfee survey reported a shortage ofcybersecurity skills, the majority thought this shortage is far greater thanthat of the general IT workforce. This shortage of jobs is leading companies tooffer higher pay for these positions, with the median salary being 2.
7 timeshigher than the average wage, which is sure to entice more people to theprofession, prompting industry growth (McAfee, 2016).There arecountless reasons that criminals are committing cyber attacks on a daily basis,some are seeking to steal basic credit card information for monetary gains,others are looking to get an edge over competitors and acquire trade secrets, nomatter the reason, cyber attacks are driving some large changes globally. With the threat of cyber attacks causing dataloss, compromise of proprietary information, and potential destruction ofnetworks, private sector companies are increasing their security spending aswell as looking to hire security professionals to protect themselves from cyberincidents.
With new privacy laws that are being enacted globally, companiesmust find new ways to protect their data from would be cyber criminals, or riskhefty fines from their government or loss of customers in the event of acompromise. As the world increasingly relies on technologies that connect usthrough networks, the cybersecurity industry must continue to grow to meet thisthreat.
