More alarming news about hacking piled up this week. On Tuesday researchers at the cybersecurity firm NowSecure publicized their finding that Samsung Galaxy phones (all 600 million of them) have a flaw in their keyboard software that can let in hackers. (They told Samsung about the vulnerability in November, to no avail; the company now says an update will be issued within a few days). Then on Wednesday, hackers crashed Canada’s federal government websites and email for nearly two hours. And on Thursday, the cybersecurity firm FireEye released a report that hackers are targeting the accounts departments of companies in Hong Kong with the intention of siphoning business payments into their own accounts. Over 35% of FireEye’s customers in Hong Kong said they had detected such attacks against them in the past year.
Cyberattacks are one of the biggest threats facing businesses, and the toll is only increasing, despite higher spending on cybersecurity. According to a recent study, U.K. businesses alone are facing a heavy annual toll from hacking– $28.6 billion in lost revenue, and $25.4 billion in extra investment in IT security. And on the global scale, a study from last June estimated that hackers are costing consumers and companies between $375 and $575 billion annually. It added that online crime comprises approximately 0.8% of global GDP– close to the 0.9% that is spent on managing the global narcotics trade. And Juniper Research predicts that by 2019 the cost of data breaches at companies will hit $2.1 trillion globally.
According to a study of 102 American business risk managers released earlier this month, almost 70% of businesses experienced at least one hacking incident in the last year. 46% said their business had either purchased cyber insurance for the first time or increased its level of coverage in the last year. But 36% of the businesses do not have any level of cyber insurance coverage, despite the growing frequency and cost of cyberattacks.
While the hacking of large companies (such as Sony and Home Depot) make headlines, many attacks on small companies go unreported because the businesses are not publicly traded and are therefore bound by fewer disclosure requirements. Small firms do not have the same budget to spend on cybersecurity that large firms do, and many are lulled into complacency by thinking that hackers will go after bigger targets instead. While this may have been the case years ago, now it is wishful thinking, and a reality-adjustment is badly needed before things get entirely out of hand. Half of the 675 small U.S. businesses surveyed by the National Small Business Association reported having been hacked last year, up from 44% in 2013. And of those companies that were attacked, 68% said it had happened at least twice. The New York Times reported that last year, the average hacking cost the typical small business $20,752, up from $8,600 in 2013.
Cybercrime is only going to become more expensive as “a tax on innovation,” especially in the growing mobile device sector, said Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security. But there is some positive news, using the very openness of the internet to aid in protecting businesses. Granted, the vast majority of hackers are malicious, whether they are state-sponsored (as in China) or private criminals, but there is a small amount of so-called “white hat hackers” or “ethical hackers” that act as unsolicited freelance cybersecurity testers. They attempt to hack into companies’ systems but they do not cause any damage; rather, they notify the companies about the specific vulnerabilities, for a financial reward.
This is still a controversial issue; some companies have embraced it, and others remain suspicious and hostile. When white hat hackers bring flaws to firms’ attention, the management sometimes chooses to ignore them or threaten them by calling the authorities. This attitude makes it far more lucrative for hackers to sell the details of those vulnerabilities to black market actors who will use or stockpile them.
But other more forward-looking firms have “bug bounty” programs that reward ethical hackers. A recent start-up called HackerOne allows independent “researchers” to upload the vulnerabilities they find to the platform and then receive money from companies using the website. People using the platform earn an average of $650 per flaw that is found, according to Alex Rice, chief technology officer at HackerOne. Now Facebook, Microsoft, Google, Yahoo, Square, and Twitter, as well as banks and oil companies, are all working with HackerOne.
Hacking is here to stay, and the more precautions companies can take, whether it be stronger encryptions, paying bug bounty programs, or taking on cyber insurance policies, the better off they will be.