Why cyber attacks can be costly
Sep 20, 2021
There are scenarios that would put almost any company in trouble. Regardless of a company's industry, size or organization, nearly all have one thing in common: dependence on a functioning infrastructure.
This includes the elementary supply of electricity, water, and the telephone and mobile networks. Based on this, the functionality of the information technology is likely to have the highest priority for most companies. In the event of a comprehensive failure of all information technology systems, in many companies neither the telephone nor production nor access to essential company documents will function. In addition, those responsible face further problems in the event of a cyber security loss. Reporting obligations to data protection officers and loss of reputation with customers are just a few of them.
Crime orients and evolves with the circumstances of society. Easy and rewarding targets are sought. According to the situation report of the Federal Criminal Police Office (BKA), the number of cases in the area of cybercrime has been rising continuously since 2017. The preliminary peak for 2020 was 108,474 registered cases. The clearance rate fell from around 40 to just 32.6 percent in the same period. It seems particularly noteworthy that the authors of the situation report speak of a veritable "underground economy". This includes manifestations such as ordering cyber attacks to disrupt servers (so-called denial-of-service attacks) or renting remote administration tools.
Possible attack scenarios
Cybercrime is a collective term for a variety of attacks with different targets and techniques. For many years, online banking was a main point of attack, as money could be transferred directly. In the meantime, however, criminals are increasingly attacking their victims in a targeted manner.
Common forms of attack are:
Information theft: Here, access to the company network is initially gained unnoticed. So-called "information stealers" such as the Trickbot malware are used for this purpose. The information obtained can either be sold directly or used for follow-up actions such as blackmail or fraud.
- Denial-of-service attacks: The aim is to deliberately disable company servers. To do this, attackers use, for example, remote-controlled botnets that flood the server with requests (so-called distributed denial of service attacks, DDoS for short). If the target is an online store, for example, its failure can lead directly to a serious loss of revenue. This form of attack is often associated with blackmail.
- Ransomware: The use of encryption Trojans with the aim of blackmailing companies and organizations has become a persistent problem. This usually involves encrypting important documents and files to the point of rendering the system inoperable. Subsequently, the extortionists offer to decrypt them in exchange for ransoms. Among others, well-known companies, universities, hospitals and local governments have been affected in the past. Malware used in this area includes Ryuk, Maze and Doppelpaymer.
Cost factors in a cyber security claim
A cyber security loss is multi-faceted and is usually not limited to the obvious factors. When assessing the risks, the following points should be taken into account according to a guideline from the industry association bitkom:
1. Operational impact: This includes the costs directly caused by the non-functioning infrastructure. For example, telephone systems and production systems may be affected in the event of an IT failure. Access to important documents is usually not available, so that communication with customers is restricted. Automated processes are disrupted and have to be reworked later, such as entering requests in ticket systems. For example, bitkom gives a total loss of 185,000 euros for a server in the e-commerce sector that was down for just 48 hours, assuming sales of 135,000 euros during this period.
2. Damage assessment: Basically, there are two competing interests here. For damage assessment in the form of an IT forensics investigation, specialists have to back up volatile and non-volatile data. This delays the recovery of the systems. So, in addition to the costs for IT forensic specialists, there are further losses of revenue to be feared. Nevertheless, it must be neatly weighed up which interest prevails. For example, if customer data has potentially been leaked, such as credit card data from four hundred customers of a restaurant in bitkom's example, damage assessment may take precedence. It is important to warn those affected and limit the loss of reputation. Concealing the occurrence of damage in such a case would be fatal, and not only from a legal perspective.
3. Management of damage control: Regardless of the specific form it takes, the affected company should form a crisis team to handle the damage. This often has to include external employees, such as IT specialists, consultants and legal experts. In addition to the measures to be taken, communication with customers and possibly also the press must be coordinated. In addition, those responsible should keep their own employees up to date. An infrastructure for temporary communication and documentation may even be required.
4. Recovery costs: the IT infrastructure must be up and running again as quickly as possible. This may require the purchase of replacement hardware. At the very least, however, a large number of IT specialists will be needed within a short period of time, unless there is an in-house IT department of an appropriate size. In any case, the internal and external experts will have to be paid for their time. Due to the urgency, the costs are likely to be increased by weekend and night surcharges.
5. Ransom: It would be desirable if no affected company were to comply with the ransom demands. This is the only way to curb the criminal business model. However, if a company's existence depends on the availability of certain files or the operational capability of a server, a responsible party may have no choice but to pay the demanded amount. Sums in the five- or six-figure range are often realistic.
6. Contractual penalties and fines: If production processes have been sustainably impaired, contractual obligations may not be met. Therefore, the affected company must expect contractual penalties and claims for damages. In the event of a successful attack on a company's IT infrastructure, there is also at least a suspicion that obligations under the IT Security Act or the General Data Protection Regulation (DSGVO), for example, have not been complied with. This can be punished with fines that can often run into six figures.
7. Follow-up costs: Even if normal business processes are up and running again, there are still a number of points to be considered in the follow-up. These include informing customers and business partners, public relations work and optimizing the company's own business processes. In unfavorable cases, the trust of customers and cooperation partners must be restored. In addition, identified weaknesses should be rectified. This reduces the risk of a new cyber security loss.
It is likely to be difficult to put a concrete figure on the total costs of a loss event because of the different conditions faced by companies. In a case study for a manufacturing company that has annual sales of 20 million euros and was the victim of a ransomware attack, bitkom calculates the damage to be around 6.6 million euros.
Liability issues for third-party damage
A very sensitive issue is the liability towards third parties after a cyber security incident. If contract contents become public after a data theft, this can affect confidentiality agreements. When customer data is leaked, their privacy rights may be violated. In even worse scenarios, disruptions in a company's production processes can put outsiders at risk. Specifically, for example, through fluctuations in the quality of products, but also through emissions that occur.
Cyber attacks remain a permanent problem
It is illusory to assume that criminal activities could still be permanently banned from the IT sector. Absolute protection against cyber security damage is equally unrealistic. Therefore, the only thing left for companies and organizers to do is to prepare for such a scenario as best they can and to align themselves in such a way that the damage is kept to a minimum. Supporting measures can be:
- Creating a contingency plan in the event of a cyber attack
- Establishing and regularly testing effective backup strategies for hardware and software
- Maintaining a security infrastructure consisting of firewall, intrusion detection and virus protection
- Examining own systems for security gaps, for example through external penetration testing
- Regular training and sensitization of employees, binding stipulation of work processes in guidelines
- Monitoring of developments in the IT security area, consulting with external experts if necessary
- Legal assessment of liability issues in advance, coverage of risks by insurance policies
The costs arising from this should be calculated as fixed expenses when operating an IT infrastructure commercially. They may help to prevent cyber security damage from occurring in the first place.