A new report from Barracuda Networks shows that cyber incidents are costing organizations millions. Attacks are also becoming a lot more sophisticated, with fears about the impact of AI.
57 percent of the 1,917 IT security professionals surveyed said they had experienced one or more cyber attacks in the past year. The annual financial burden to organizations of responding to cyber incidents is striking: it represents an average cost of 4.9 million euros.
The survey was conducted on representatives of organizations with 100 to 5,000 employees. Respondents came from the US, UK, France, Germany and Australia.
A majority of them feel unprepared for cyber attacks. An inadequate security budget (55 procent), inconsistent security policies and software (42 procent) and too little insight into third parties’ access to secure information (38 procent) were mentioned the most often.
Ransomware: paying up or not?
71 percent of all respondents experienced a ransomware attack in the past year. Of those, 61 percent paid the ransom demanded. The question of paying or not remains a tenuous question, as forcing one’s business operations to shut down can easily cost more than a single payment to cybercriminals.
Cybercriminals thus have a significant chance of success with a ransomware claim. In addition, they benefit from another advantage. Attackers are able to exploit a vulnerability within 6 hours, whereas it takes IT teams 427 hours to investigate a phishing atack.
The consequences for a phishing attack can therefore be enormous, although they vary widely. The loss of sensitive information (17 percent), a lawsuit (17 percent), lost revenue (14 percent), fines (14 percent) and loss of employees (13 percent) are all cited repeatedly.
AI as a weapon for and against cybercrime
Exactly half of those surveyed believe AI will only make these issues worse, resulting in more attacks. It remains to be seen how this will actually manifest itself. Currently, it remains at convincing phishing emails using ChatGPT or other AI applications as accomplices, but more ambitious applications are certainly conceivable.
Still, it should be said that security companies themselves are also using AI to protect customers. AI-based anomaly detection and other ML applications have been around for years, while generative solutions can also ensure that data is more readily understandable to security teams. Regardless, respondents are not sure of a net positive outcome.
Barracuda Networks directs its guidance towards both fellow vendors and organizations themselves. For example, security companies need to speak the same “language” when it comes to cyber risk, especially when dealing with advanced (and perhaps AI-powered) threats. Organizations should rely on a platform approach rather than different tools that do not integrate with each other, according to the company. Yet again, it appears that the solution is largely a mental one: an observant culture, the right data policies and a good, simple plan can all contribute to a good security level.