Cybercrime cost Michigan victims more than $181.6 million in 2021.
That cost, based on 2,605 complaints to the FBI from Michigan, demonstrates the ever-rising price that businesses and consumers pay each year when victimized by a cybercriminal.
Despite the financial toll from data breach incidents, experts say many businesses still lack full understanding or awareness about their vulnerability and the potential costs of an incident, or the need to take safeguards to protect themselves from an attack.
“One of the challenges is that a lot of the small to medium-sized businesses don’t necessarily think that they are potential targets for an attack and that they don’t have valuable data,” said Nate Steed, a partner and co-chair of the cybersecurity and privacy practice group at Warner Norcross + Judd LLP, a Grand Rapids-based law firm.
“Maybe they don’t collect Social Security numbers or other sensitive information on their customers or individuals, so they assume incorrectly that hackers may not want to attack them specifically because they’re just not very appealing targets. That’s just not the case,” said Steed, who works with clients to prepare for and respond to data breaches. “The bad guys — we call them ‘threat actors’ — are very indiscriminate in who they attack.
“They have been, I think, in recent years more focused on specific industries, but that’s not to say that they’re not on the lookout for crimes of opportunity all of the time. They’re the proverbial guys walking down the street looking for unlocked cars where they can quickly just grab something.”
Experts say the question is not whether a business will experience a data breach, but when.
As incident rates for data breaches and cybercrimes continually rise, email remains the main cause of data breaches. That often happens when a busy employee clicks on a link in a phishing email or gets fooled into transmitting sensitive information to a hacker posing as a coworker.
“Data security is not usually a technology problem, it’s a people problem,” Steed said. “You can spend as much money as you want on all of the bells and whistles to protect yourself, but all it takes is one person to click on a link that they shouldn’t and it undoes all of that time and money and effort that you put into securing your own environment.”
That’s why Steed and others urge clients to make awareness, education and regular training a priority for employees as a way to prevent data breaches.
Addressing the weakest link
Scammers who rely on phishing are far more sophisticated today in their approach to fool somebody and get them to click on a link that allows them to hack into a system, access sensitive data they can use, and possibly launch a ransomware attack when hackers encrypt your data and demand payment to release it.
“You have to train your people, and this is across small, medium and large enterprises; it’s the same everywhere,” said David Sikina, a senior manager at the Grand Rapids office of Plante Moran PLLC. “The human element is the weakest link, and without proper training, they’re not going to know how to react, they’re not going to know how to respond, they’re not going to know how to identify threats when they’re presented with them in an email or a text message, or even a voicemail message. At the end of the day it’s risk mitigation. It really comes down to that one fundamental concept.”
Five to 10 years ago, if you got a suspicious-looking email, “you could tell pretty quickly something was weird about it,” Steed said. The email typically had spelling and grammatical errors and used an unusual font and formatting.
“Those days are gone. There are now emails that come through that are fraudulent, but look for all intents and purposes very, very legitimate,” Steed said.
When employees suspect an email is fake, they should simply call the purported sender who’s asking for information to verify the correspondence, an easy practice that in today’s fast-paced world that is “just not in the current workflow,” he said. The problem has gotten even worse in today’s era of remote work, Steed added.
“Everybody’s just working so fast now through email that these things just don’t get caught,” he said. “You just have this tendency to react to an email, clicking on a link, sending the information you shouldn’t, changing payment information when you should have verified it in other ways. That’s just the way these (crimes) unfold given the way that we work now.”
Organizations need to “do the easy stuff” and practice “basic cyber hygiene” by training staff on how to identify potential threats and respond, Sikina said.
Companies also should use strong passwords, update passwords regularly and use multi-factor authentication when logging into the company’s system, he said. Multi-factor authentication can prevent most breach attempts and “stop it dead in its tracks.”
“Whether it’s in the corporate world or in your personal life, do the basics and protect yourself. With very little effort, you can eliminate a large number of the threats out there, but you have to do something. You can’t just hope for the best,” he said.
The number of internet crimes reported annually to the FBI nearly tripled from 2016 to 2021 to 847,376 complaints, while the cost to victims more than quadrupled from $1.5 billion to $6.9 billion.
The growing annual losses indicate that the cost per incident is increasing and “the bad guys, the threat actors, are getting better at this,” Sikina said. Cyber criminals are “getting better at extracting money from organizations” and they often conduct research on the companies prior to an attack, he said.
“These aren’t disgruntled teenagers in their parents’ basement misbehaving. This is organized crime and in some cases state-sponsored crime” by rogue nations, Sikina said.
The most costly internet crime by far last year was business email compromise and email account compromise (BE/EAC) incidents where cybercriminals compromise email accounts to transfer funds. The nearly 20,000 BE/EAC complaints the FBI recorded last year cost victims a leading $2.39 billion, while ranking ninth on a list of the top 30 cybercrimes.
Phishing scams — where unsolicited email, text messages and telephone calls purportedly from a legitimate company request personal, financial or login information — were by far the most reported cybercrime, at nearly 324,000 complaints that cost victims $44.2 million. That’s nearly four times the second most-reported cybercrime, which was the non-payment for and non-delivery of goods and services.
To businesses, the cost of a data breach can prove quite costly.
An annual study by IBM Security and Traverse City-based Ponemon Institute estimates the average cost of a U.S. data breach in 2022 was a record $9.44 million, an amount that compares to $9.05 million in 2021 and is more than twice the $4.35 million average cost per incident globally.
The Ponemon Institute and IBM base the estimates on interviews with more than 3,600 representatives at 550 organizations globally, 64 of which are based in the U.S., that experienced a data breach between March 2021 and March 2022. The average costs include notifications, detection, a post-breach response, and lost business.
Incidents that began with phishing attacks were the costliest form of data breach, at an average $4.91 million globally, followed by business email compromise attacks at a $4.89 million average, according to the organizations’ 2022 Cost of a Data Breach Report. That kind of loss can put small and medium-sized businesses out of business if they lack cyber insurance coverage.
“They’re shuttering the doors at that point. They don’t have that sort of money to lose,” Steed said.
Cyber insurance can mitigate the potential loss, although both Steed and Sikina acknowledged separately that policy premiums have been rising in recent years as incidents and losses rise.
Businesses can mitigate the cost of an attack by having an incident response plan that details how they will handle an attack. They should also regularly conduct a “dry run” and test the plan, Steed said.
In the annual Data Breach Investigations report from Verizon, the cost to organizations with an incident response plan that they tested was $2.66 million less than the cost for groups that lack a plan.
While planning for a cyberattack has its own costs, doing nothing to prepare can cost more when an incident occurs, Steed said.
“Train and prepare. Nobody is immune. Everybody is a target, and you’ll be in a much better position if you’ve already planned for it, even a little bit,” he said. “Investing is a preventative measure now that will save you money in the future.”