Cyber incidents cost businesses $45B in 2018: report
Internet Society reports shows cybercriminals learning how to monetise millions of incidents
Cybercriminals are getting better at monetising their activities, a new report by the Internet Society’s Online Trust Alliance (OTA) shows.
OTA estimates the more than 2 million cyber incidents in 2018 resulted in over $45 billion in losses, with the actual numbers expected to be much higher as many cyber incidents are never reported.
“The financial impact of cybercrime is up significantly and cyber criminals are becoming more skilled at profiting from their attacks,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance.
In the report, OTA noted a steep rise in cyber incidents like supply chain attacks, Business Email Compromise (BEC) and cryptojacking. Some attack types, such as ransomware, are not new but continue to be lucrative for criminals. Others, such as cryptojacking, show that criminals are shifting their focus to new targets. Some of the top trends from the Cyber Incident & Breach Trends Report are listed below.
The financial impact of ransomware rose by 60%, losses from business email compromise (BEC) doubled, and cryptojacking incidents more than tripled, all despite the fact that overall breaches and exposed records were down in 2018.
Cryptojacking tripled in 2018. This is a specific type of attack aimed at hijacking devices to harness computer power at scale to efficiently mine cryptocurrency. OTA believes these incidents are increasingly attractive to criminals as they represent a direct path from infiltration to income, and are difficult to detect.
Though well-known as an attack vector, Business Email Compromise (BEC) doubled in 2018, resulting in $1.3 billion in losses as employees were deceived into sending funds or gift cards to attackers who use email to impersonate vendors or executives. Many companies are reacting by clearly labelling all emails that originate outside the organisation’s network.
Attacks via third parties
Supply chain attacks – wherein attackers infiltrate via third-party website content, vendors’ software or third-parties’ credentials – were not new in 2018 (similar past exploits include Target in 2013, CCleaner and Not Petya in 2017), but they continue to proliferate and morph. The most notable 2018 attack was Magecart, which infected the payment forms on more than 6,400 e-commerce sites worldwide. The OTA report compiled external sources that estimated a 78% increase in these types of attacks in 2018, with two-thirds of organisations having experienced an attack at an average cost of $1.1 million, and estimates that half of all cyber-attacks involve the supply chain.