Credential-related attacks lead to the biggest financial losses, says report

Extreme loss events could cost victims 100 times their annual revenue or more, says the Cyentia Institute

Cyber attacks resulting from stolen credentials are more common and more financially damaging for organisations than any other type of cyber incident, according to new research.

The Cyentia Institute's IRIS Xtreme report [pdf] reviewed 103 large cyber-loss events from the last five years, and found that credential-related attacks were responsible for more incidents (46 per cent) and more total losses ($10 billion) than any other attack vector. For example, remote access malware incidents accounted for 31 per cent of extreme loss events and $9.2 billion in financial losses.

The 103 events that Cyentia researchers reviewed for their report were responsible for a total of $18 billion in reported losses and 10 billion compromised records. The average (median) cost of all these extreme events was $47 million - but more than a quarter of the events exceeded $100 million.

The researchers found that some attacks cost victims nearly 100 times their annual revenue, while others cost as little as 0.1 per cent of revenue. Lost productivity, response costs and fines were the most common forms of loss.

"For the majority of organisations, even these catastrophic events represent 10 per cent or less of their annual revenue," the researchers said.

"For an unlucky 14 per cent of the firms, these extreme events result in costs that exceed annual revenues. These... firms are typically the smaller firms (firms with less than $50 million in revenues)."

Fraud, ransomware, data breaches and cryptocurrency theft are the costliest and the most common types of extreme cyber events - and a single ransomware campaign was responsible for a huge proportion of losses. NotPetya, in 2017, represented nearly 20 per cent of all losses across all events in the report.

The likelihood of incident varies from industry to industry, with government agencies, financial firms, admin support and information services having the highest rates.

Financial, information and manufacturing sectors were victims in more than half of the 103 incidents, according to the report.