Cybercrime costs Dutch businesses €10 billion per year
A new report has shown that cybercrime causes a loss of value of €10 billion per year in the Dutch business sector, or 1.3% of the GDP. For SMEs, the threats are the greatest and their role as a supplier to large companies also endangers corporates – however this interconnectivity is also a strength, with experts recommending companies work together more and form 'cybersecurity communities'.
A new Deloitte survey has identified the cyber risks for the 2,600 largest companies in the Netherlands and 250,000 SMEs. Making use of the Cyber Value at Risk model developed by the Big Four office together with the World Economic Forum, the report provides insight into the potential loss of value for companies by quantifying the damage of possible future attacks. The companies were divided into fifteen sectors, allowing a comparison to determine the sectors in which companies are most at risk. With the research results, Deloitte wants to help Dutch administrators make better informed decisions about which investments in the field of cyber security are required within their organisation.
The research shows that cybercrime currently causes a loss of value of approximately €10 billion per year. €9 billion of this is accounted for by large companies and corporates, while the entire Dutch SME sector has to deal with a loss of value of €1 billion. The enormous amounts lost each year due to cybercrime are, according to the researchers, an illustration of the high degree to which the Dutch business community has been digitised. The greatest risks of loss of value arise from interruptions of operational continuity (26%), loss of the reliability of communication and IT systems (26%), and loss of confidential information from third parties (25%).
Hacks like this can have major implications for even the largest companies. Equifax announced in September that an incident had allowed hackers to gain access to the personal information of about 143 million Americans, along with a large number of Canadian and as many as 400,000 British individuals – spurring the FBI and the US Federal Trade Commission to launch formal investigations. Since then, at least 50 class action lawsuits have been filed against the company – issuing a stark warning for firms in the future to pay better attention to detail when regarding their exact cyber-security measures – while a huge amount of value was wiped from Equifax’s stock following the scandal.
This is rare, however, as large corporates are in general relatively well-positioned to absorb value losses. It is mainly the small and medium-sized enterprises which see their organisation and image lastingly damaged by attacks. Smaller companies cannot obtain economies of scale from their investments in cybersecurity, which means that the returns on investment (ROI) are much lower than for larger organisations.
Maarten van Wieren, a cyber security expert at Deloitte, said, "SMEs often have a less mature cyber security policy or respond only after incidents, while the cyber attacks become more refined and complex at the same time. Because they are more vulnerable to cyber attacks, they become an increasingly attractive victim. At the same time, it is becoming less and less affordable for small and medium-sized businesses to take measures that keep the cyber criminals out, as the attacks on their digital environment become more sophisticated.”
According to the researchers, however, there should be shared responsibility. Van Wieren explained, "On the one hand, small and medium-sized businesses themselves are vulnerable to cyber attacks, on the other hand their vulnerability poses a risk to larger companies given their role as a supplier."
More and more digital information is exchanged between SMEs and corporates, but due to the lower maturity in cyber security, this data can easily be captured by cyber attackers. Van Wieren continued, "Putting the cybersecurity of small and medium-sized businesses in order has become a shared responsibility. Public-private partnerships are becoming increasingly important and only by working together can we achieve a resilient and strong digital economy."
Cyber security communities
Given the increased importance of cooperation and shared responsibility, according to Deloitte, stakeholders should collectively organise cyber risk management. By creating so-called "cyber security communities", economies of scale are realised for investments in cybersecurity, which means that the smaller companies can also benefit from improved security of their cyber environment.
According to the researchers, the need for these collective investments is increased because the increasing complexity and sophistication of cyber attacks reduces the ROI of companies on cyber security investments. "As companies become increasingly interconnected on a digital level and there are fewer analogous alternatives to fall back on, organisations are becoming increasingly dependent on each other for their security," the researchers concluded.
To help clients combat cybercrime, Deloitte opened a Cyber Intelligence Center in The Hague in the summer of 2016 . The bureau is also one of the founding partners of the Dutch Cyber Collective and partner of The Hague Security Delta. Deloitte is currently one of the globe’s largest cybersecurity consultancies, but was rocked earlier in 2017 when it revealed it had itself been victim of a major cybersecurity breach. According to sources close to the matter, hackers may have accessed usernames, passwords and personal details of the firm’s clients, in an attack that went unnoticed for months.