When we published our 2019 Global Threat Intelligence Report (GTIR) last month, (which is well worth a read to understand the latest threats), we also published a slidedeck called ’12 things you didn’t know about internet threats in 2019’.

These slides provide an interesting range of insight on internet threats from NTT Security and external sources.

Much has been written about the data from the GTIR, so I’ll use this blog post as an opportunity to examine two other sources, starting with an assessment by City of London insurer Lloyd's. In its City Risk Index, Lloyd's examines the size of economic output (GDP) that 279 leading global cities would lose from 22 man-made and natural threats, including cyber attacks, economic crises, political conflict and extreme weather. 

The scale of potential losses is massive. Cyber attacks in themselves put at risk more than $36bn of GDP from those cities alone (more than the entire GDP of Bahrain). New York, Los Angeles, London, Tokyo and Paris have over $1bn each to lose. That’s a mighty EUR452 for each adult and child in Paris; the highest of the five. 

However, it’s the USA and Asia that have the most to lose overall. The US makes up 17 of the top 40 cities for GDP globally. With the inclusion of Toronto, North America has nearly $15bn of GDP at risk from cyber attacks. Asia has over $10bn at risk (with Japanese cities having the most at risk), while Europe has more than $9bn of GDP at risk from cyber attacks.

Lloyd's considers that the Middle East, Africa and Latin America carry a greater risk in terms of the percentage of GDP at risk in total, but that this risk is more attributable to potential conflict or direct economic concerns respectively.

The scale of cybersecurity risk faced by the Americas was highlighted in our GTIR regional summary, with the region's technology, finance and business and professional services sectors under considerable pressure. Nearly one-third (32%) of attacks facing the Americas originate from within the USA, our data shows.

The figures from Lloyd's are in line with the assessment of the cost of recovery from a cyber incident which we reported in our Risk:Value research last year. We found that the effects of a cyber attack spread well beyond the initial cost. More than half (56%) of businesses reported that, if information was stolen in a breach, there would be a loss of customer confidence while 52% reported that the company brand would be damaged.

Governments and private sector organizations around the world should take note of the scale and impact and assess their exposure to this risk. NTT Security already empowers organizations around the world with a detailed understanding of risk.

Unfortunately, an all-too-regular response among businesses in the face of adversity is to pay off the cybercriminal in the hope of being left alone. 34% of organizations around the world would consider paying a ransom to a hacker rather than invest in cybersecurity because it is cheaper, our Risk:Value research showed. 

This figure masks several apparently contributory factors. One of those is responsibility for cybersecurity in the organization concerned. Where a CEO is deemed to be ultimately responsible for cybersecurity, the organization has a greater propensity to try to bail out of difficulties by paying a ransom (44% of companies – 10 percentage points above average). Where a Chief Information Security Officer (CISO) is deemed to be the person ultimately responsible, the propensity to pay a ransom falls significantly – to 26%. While sponsorship from the leadership team is essential to the success of cybersecurity strategy in any organization, these figures do illustrate the importance of building a strong security function.

The second characteristic of ransom payers backs this up. Those organizations that would pay a ransom tend to lack adequate cybersecurity resources or skills in-house, at their own admission. A massive 68% of companies that strongly agree they do not have adequate cyber ecurity resources or skills would consider paying a ransom. Among organizations that strongly disagree (i.e. they have adequate resources and skills), just 14% would consider paying a ransom.  

Source: NTT Security Risk:Value research

The willingness to pay a ransom is both worrying and shocking. Aside from the blatant disregard of good cybersecurity practice, payment to a cybercriminal guarantees nothing, and can even encourage further attacks.

We’ll continue to monitor this issue. With ransoms being a major vehicle for attackers motivated by profit, businesses need to understand and apply best practice now.