Economic losses from cyber attack ‘akin to natural disaster’
Not just a disaster for your data, a major attack could cost the global economy up to $120bn, according to new study.
As the likelihood of widespread cyber attacks becomes more of a daily feature online, a new report has unearthed costings to go with the phenomenon, and they’re not particularly pretty.
Insurance giant Lloyds of London believes that a future global attack could cost the global economy more than $120bn, and will average at around $53bn. One scenario laid out by the firm includes a malicious hack that successfully takes down a cloud service provider, resulting in losses of between $15bn and $121bn.
However, in cost terms, these two previous incidents were relatively lightweight, with May’s WannaCry infection - which spread to more than 100 countries - running to $8bn, while June’s NotPetya incident cost a relatively modest $850m in economic terms, according to the report.
In the cloud service provider scenario, the attackers modified a hypervisor in advance, introducing system crashes among users a year later. The researchers noted: “If a major security flaw was found in a commonly used hypervisor, cloud customers of service providers using it to segment their virtual environments could suffer from a breach on all the shared systems connected to that hypervisor. Attacks on these systems could result in cascading outages within supply chains and the potential for significant losses arising from data breaches and system outages.”
Average economic losses caused by such a disruption could range from $4.6bn to $53bn for large to extreme events. But actual losses could be as high as $121 billion, and as much as $45bn of that sum may not be covered by cyber policies due to companies under insuring. Meanwhile, the widespread hacking of operating systems would cost within the range of $9.7bn to $28.7bn.
Ilia Kolochenko, CEO of High-Tech Bridge, said that the main issue facing companies today was at bottom a simple one: “There was nothing new in this particular attack [WannaCry], and the main cause of the epidemic is our failure to adhere to cybersecurity fundamentals.
Many companies were infected because they failed to maintain a comprehensive inventory of their digital assets, and just forgot to patch some of their systems. Others, omitted or unreasonably delayed security patches. Last, but not least - malware's capacity of self-propagation leveraged lack of segregation and access control within corporate networks.
“The real problem is that in 2017, largest companies and governments still fail to patch publicly disclosed flaws for months. Practically speaking, NSA doesn't really need a 0day to get their data - their negligence "invite" attackers to get in.”
Both scenarios from the Lloyds report rely on software vulnerabilities, the huge difference in damage costs reflecting the level at which the software in question is running. Unfortunately, security in applications is not improving fast - an application security survey undertaken by High-Tech Bridge found that 83 per cent of mobile apps in banking, financial and retail sectors have a mobile backend (such as a web service or API) that is vulnerable to at least one high-risk security vulnerability.
Perhaps one reason - counterintuitively - for this is improved security. High-Tech Bridge researchers found that 53 per cent of simple flaws from the OWASP Top Ten, such as XSS, are no longer detectable by vulnerability scanners and other fully automated solutions. This is because improved credential management, such as 2FA, successfully blocks automated tools that would have otherwise found the relatively common flaws.
Given the ‘natural disaster’ scale of costs referenced by Lloyds, perhaps it’s time to weed out the ‘false security’ models and the incomplete asset inventories, fairly sharpish...