SINGAPORE: The economic damage from cyberattacks on companies in Singapore last year amounted to US$17.7 billion (S$23.8 billion), with much of that loss caused by the impact on the wider ecosystem and leading to decreased consumer and enterprise spending, a Microsoft study released on Friday (May 18) found.
The study, conducted by Frost and Sullivan, showed that only about 20 per cent of that damage was caused by the direct impact of a cyberattack on a company's financials, as a result of things such as fines and remediation costs.
The majority of the loss, or 64 per cent, was because of an “induced loss”. This was defined by the research firm as the impact of a cyber breach on the broader ecosystem and economy.
By comparison, the economic loss from cyberattacks for Asia Pacific as a whole was US$1.75 trillion (S$2.3 trillion) last year, the findings showed.
The breakdown for the region was 10 per cent for direct loss, 30 per cent for indirect loss - referring to opportunity cost such as reputation loss leading to customer churn and job losses - and 60 per cent for induced loss, according to Frost and Sullivan.
Mr Edison Yu, vice president and Asia Pacific head of Enterprise for Frost and Sullivan, said during the presentation of the report that while direct losses from these breaches are most apparent, they are “but the tip of the iceberg”.
As such, its study came up with an economic loss model that looked to include other aspects such as job loss and customer churn due to damage to a company’s reputation.
For a large-sized organisation of more than 500 employees in Singapore, Mr Yu said, the economic damage from a cybersecurity incident was, on average, US$13.8 million (S$18.5 million).
A deeper look into this figure, however, showed that the direct loss - which includes things such as productivity loss and customer disruption - amounted to US$2.7 million. Induced loss accounted for US$7.7 million, and indirect loss was US$3.4 million.
When a cyberattack occurs, jobs too are placed at risk. The study showed that cyberattacks resulted in job losses across different functions in 57 per cent of Singapore organisations that had an incident over the last 12 months.
Elaborating, Mr Yu said that jobs may become redundant if the company has to close down the business unit affected by the attack.
The study, commissioned by the US tech giant, surveyed 1,300 respondents from 13 Asia Pacific markets including Singapore. The respondents included business and IT decision-makers involved in the shaping of their companies’ cybersecurity strategies.
DATA CORRUPTION, BRAND IMPERSONATION BIGGEST HEADACHES
The study also found that while cyberattacks such as ransomware have hogged the headlines recently, it is actually fraudulent wire transfer, data corruption, online brand impersonation and data exfiltration (the ability to get data out from an organisation) that are most concerning for companies that have suffered attacks.
These are the “silent killers” for companies as they have the highest impact with the slowest recovery time, Mr Yu explained. “They may be invisible to the organisations,” he added.
Yet, even as the ramifications of cyberattacks have proven to be evident, the study found that of the Asia Pacific companies that have suffered a cyberattack, only 25 per cent had considered cybersecurity before starting a digital transformation project.
By comparison, 34 per cent of organisations that have not suffered a cyberattack do so, it added.
“The rest of the organisations either think about cybersecurity only after they start on the project or do not consider it at all,” the study said.