On does the costs associated with battling this

On May 29, 2009, President Barack Obama
stated, “the cyber threat is one of the most serious economic and national
security challenges we face as a nation.”(Obama, 2009) Fast forward to 2016,
and attacks on networks and computers systems, also referred to as a cyber attack,
seem to be reported in the news almost weekly. Computers with access to the internet,
or connected to a network, are in danger from hackers who are exploiting
vulnerabilities in these systems. This isn’t just an issue for people with
personal computers; businesses, both small and large, are being attacked on a
regular basis. The rise of cyber attacks in
the private sector is leading to an increase in financial costs to businesses
and the need for cyber security professionals. This paper addresses the financial
cost of cyber attacks to businesses in the global market, in addition to second
and third tier effects that are sometimes overlooked when analyzing the impact
of cyber attacks. Finally, this paper will address the expected security
spending needed to combat cyber attacks, with an increase in cyber-security professionals.

            As the number of cyber attacks continue to rise, so does
the costs associated with battling this threat. Cyber attacks in 2014 were up 40% from 2013, and
financial services encountered 300% more security incidences than other sectors
(Myles, Lee, Thomas, Meager, 2015). Tracey Caldwell, a freelance business
technology writer and editor of Biometric Technology Today, says there are
three main categories when it comes to cost that may be easier to understand
than thinking in terms of a monetary value. The first category is direct costs,
which are usually associated with recovering after a cyber attack (Caldwell,
2014). According to a Dell Software security survey that covered governments, financial,
education, healthcare, and retail, the global average cost of a single security
breach due to cyber attacks is $917,884 (Caldwell, 2014). A security breach can
occur when an intruder exploits unpatched vulnerabilities in a companies
software, causing the program to crash or act in unexpected ways (Carlin,
2016).  Carlin notes that this can allow
intruders to access information or find backdoors into other programs, which
can then be used to install malware or similar malicious programs. Once the
intruder has breached security and gained control over the system, even partial
control, information can be stolen or deleted before other computers are
targeted (Carlin, 2016). McAfee, a part of Intel Security, estimates that “the
likely annual cost to the global economy from cybercrime is more than $400
billion with a conservative estimate of $375 billion in losses, while the
maximum could be as much as $575 billion.” These estimates are larger than most
countries gross domestic product (GDP), and if losses continue to grow, as
expected, employment rates can be affected; an estimated 200,000 American and
150,000 European jobs could be affected due to changes in GDP caused by
cybercrimes (McAfee, 2014).

The
second category Caldwell spoke of is fines and victim compensation (if account
information or personally identifiable information was stolen in the attack),
and the most significant category being loss of business due to the damage of
reputation (Caldwell, 2014). These are considered the second and third order
effects of a cyber attack. According to Emily
Mossburg, a principal for Deloitte Advisory Cyber
Risk Services, the cost of cyber attacks isn’t always as straight forward as
the loss of currency, although, that plays a large part. She mentions cyber attacks performed against a companies,
both small and large, can result in the loss of business if customers feel
their personal information isn’t being safeguarded, the loss of intellectual
property that may be giving them an edge in the market, and legal fees and
litigation that can have effects even years after an attack occurs (Mossburg,
2015). A study by Deloitte identifies some cost factors that many companies are
often unprepared for (Mossburg, 2015). Cyber attacks can trigger larger
investigations that may lead to further security violations, thus incurring
more costs via fines and fix actions (Mossburg, 2015). Mossburg states, in
addition to fines and the costs to fix the vulnerabilities, companies may face higher
cyber insurance premiums, and may suffer a full-level downgrade in credit ratings,
which in effect raises their interest rates and can add millions of dollars to
the cost of a project. Depending on the severity or timing of a cyber attack,
the loss of customers can be the largest impact to a company, an example of
this would be a retailer whose breach happened before a holiday shopping season
or a company whose clients no longer believe their secrets can be kept safe
(Caldwell, 2014). Companies reporting major attacks suffer a 1-5% drop in stock
value, while some companies recover, others may lose everything (Kaul, 2015).

With
cyber attacks on the rise, it makes sense for companies to want to invest in
more security in order to protect their assets. A 2016 survey on IT security
spending trends, conducted by SANS (SysAdmin, Audit, Network and Security)institute,
stated “security budgets and spending are on the rise, with much of that
spending going toward in-house skills to support application security, intelligence
and analytics, and data security, among other functions” (Filkins, 2016).
According to the SANS survey that Filkins authored, the top three driving
factors in security spending were aimed at protection of sensitive information,
regulatory compliance, and reducing incidents and breaches. The percentage of
IT budget allotted for security spending show that the lowest range, 0%–3%, is
shrinking over the three year period the survey took place, while budgets in
the range of 4%–6% and 10%–12%, have grown in 2015 and 2016 (Filkins, 2016).
Filkins notes that the organizations size and industry they are in influences
the budget for security spending; medium and large sized companies were
expected to spend 7%-9% of their overall IT budget ($1M-$10M and $10M-$50M
respectively) on security, with financial services spending the most in the
private sector.

In
addition to the above mentioned increases in security spending, cyber attacks
are leading to a potential boom in cyber insurance policies and the need for
cyber security professionals. Right now, cybersecurity insurance policy premiums
are estimated at around $1.5 billion globally with the US holding around $1
billion of that (Kirkpatrick, 2015). The US is the leading market for cyber
policies, likely due to privacy laws that have been enacted over the past
decade, however, the market is expected to grow globally due to similar regulatory
changes being put in place throughout the world; these regulations, that are
expected to be ratified in 2017, should increase the number of cyber insurance
premiums in Europe, which currently accounts for less than 10% of the global
market (Kirkpatrick, 2015). When it comes to creating jobs, a 2016 study of the
international shortage in cybersecurity skills conducted by McAfee, the global
cybersecurity workforce shortfall could be as high as one to two million
positions that are unfilled by 2019 with no signs of the shortage going away. Eighty-two
percent of the companies responding to the McAfee survey reported a shortage of
cybersecurity skills, the majority thought this shortage is far greater than
that of the general IT workforce. This shortage of jobs is leading companies to
offer higher pay for these positions, with the median salary being 2.7 times
higher than the average wage, which is sure to entice more people to the
profession, prompting industry growth (McAfee, 2016).

There are
countless reasons that criminals are committing cyber attacks on a daily basis,
some are seeking to steal basic credit card information for monetary gains,
others are looking to get an edge over competitors and acquire trade secrets, no
matter the reason, cyber attacks are driving some large changes globally.  With the threat of cyber attacks causing data
loss, compromise of proprietary information, and potential destruction of
networks, private sector companies are increasing their security spending as
well as looking to hire security professionals to protect themselves from cyber
incidents. With new privacy laws that are being enacted globally, companies
must find new ways to protect their data from would be cyber criminals, or risk
hefty fines from their government or loss of customers in the event of a
compromise. As the world increasingly relies on technologies that connect us
through networks, the cybersecurity industry must continue to grow to meet this
threat.