Who’s Getting In?

Roughly a quarter of all breaches come from internal sources—but most industries deviate from the average (figure 2-4). In those involving highly sensitive and valuable information—health care, public administration, and professional, technical, and scientific services—the proportion of internal troublemakers is higher, whereas public-facing industries, restaurants, and stores see much more activity from the outside.

How Often Are They Getting In?

In a few highly vulnerable industries, hackers get in more often than not. But in most, multiple attacks are needed to achieve a breach (figure 2-5).

The ratio of incidents to breaches in an industry says much about its vulnerability. Accommodation and food services is one of the most vulnerable targets: It averages 11 breaches for every unsuccessful attack, although the payoff for breaking in is often lower than in other industries. The public sector is under massive attack, with the highest number of incidents of the industries studied. But most of them fail: For every 74 unsuccessful attacks, it sees just one breach.

What Are They Getting?

Despite all the work that’s gone into protecting user data and credit card data in recent years, those are the most commonly nabbed assets (figure 2-6). Other information-based targets not reflected here, such as contracts, RFPs (requests for proposals), and control systems, are experiencing more breaches than in the past, but user data and credit card data remain the most popular and vulnerable targets—suggesting that all our defenses haven’t helped as much as they should have.

Industries in which breaches overwhelmingly involve a single type of information (medical, accommodation and food services) can hone their defenses, because the risk is well defined; the bad guys are almost always after the same thing. But industries that have multiple targets, with no one target accounting for a majority of breaches (financial, manufacturing), need a more flexible risk-mitigation strategy, one that will equip them to fight on several fronts.

Different industries have different pathways by which enemies can enter the networks—but note how frequently web apps are implicated in successful attacks (figure 2-7). Looking at an industry’s top three sources of incidents (bullet points) against the top three sources of breaches (in bold and black) tells us one of two things:

1. If the top sources of incidents and breaches are the same, those things are heavily targeted, and companies know it—but adversaries are succeeding anyway. Something is amiss.
2. If the top sources of incidents and breaches differ, companies have gotten good at defending on some fronts (where incidents are high but breaches aren’t) but have blind spots on others (where breaches are high relative to incidents).

Four Ways to Look at Costs

The simplest way to look at costs is that they’re always going up, whether through investments in defense or spending to recover from breaches (figure 2-8).

It’s no surprise that the cost of cybercrime is rising around the world. The steepness of the year-over-year increases in Germany and the United States suggests that those countries hold the most appealing—to hackers—combination of value and vulnerability.

Looking at costs by sector, a few things stand out (figure 2-9). The cost of cybercrime for utilities and energy companies is high in part because of that industry’s risk profile: A breach could have immediate and potentially life-threatening consequences. Public sector costs are relatively low, but the sheer volume of attacks means that they are likely to rise significantly, especially as state-level espionage increases.

From 2015 to 2017, as shown in figure 2-10, spending on detection and containment rose by about 5%—and breach prevention rates improved. But as figure 2-11 shows, revenue losses haven’t fallen commensurately.

Business disruptions now cost less than they used to; we’re getting better at maintaining uptime despite the steady drumbeat of attacks. But the cost of information losses has risen steeply. This is the great paradox of cybersecurity: Although we’ve improved our ability to thwart attacks, that hasn’t reduced the damage when attacks do succeed.

Given all this, companies should consider whether the gains realized by having multiple systems online are worth the risks. A new school of thought holds that it’s time to unplug critical systems whose breaches could have dire consequences. Yes, companies would “pay” in terms of convenience and efficiency—but would that price exceed the ever-climbing cost of fending off attacks without making a dent in breaches?

TAKEAWAYS

The state of cybersecurity is pretty discouraging. This collection of charts, created using data from three highly respected industry reports, shows just how bleak the full picture is:

• Systems are constantly under attack by hackers employing technical approaches that have been used for years.
• Organizations are thwarting more attacks, but more attacks (and more vicious attacks) are taking place now than ever before.
• What we know about attacks: Most still come from external sources; they fail more often than they succeed; the most common targets are personal and payment information.

Adapted from content posted on hbr.org, May 23, 2018 (product #BG1803).