Back

Cybersecurity: how much cyber-attacks "cost" and the importance of protecting IT systems

20/04/2022
Maria Livia Rizzo

In an increasingly digitally connected world, cybersecurity threats have a very significant impact on the global economy.

Several areas have been affected by the changes brought on by the pandemic, and government-imposed lockdowns in many counties have accelerated the digital shift. During the Covid-19 emergency, online sales reached $4.8 trillion, up 22% from the pre-pandemic period. The International Labor Organization noted a significant increase in the use of smart working compared to the 260 million agile workers in 2019.

Behind the digitization of work and services are technologies, including 5G, which globally attract significant investments.

On the other hand, however, the interaction with the computer systems we use on an ongoing basis has increased:

  • the level of vulnerability to cyber-attacks and online fraud;
  • threats from cybercriminals.

Specifically, the costs related to cybersecurity threats are estimated to be $10 trillion per year as of 2021, double what they were in 2015, and cyber-attacks have increased fivefold since the pandemic broke out.

The healthcare sector – followed by the energy and financial sectors – has the highest cost per breach: in the 2020-2021, the average cost was $7.3 million. Breaches were caused by cyber-attacks (52%), by system anomalies (25%), and by human error (23%). The average annual cost of a data theft is $3.86 million. 150$ is the estimated average cost for each personally identifiable information (PII), which is the most frequently stolen information.

In this context, which alarms both public institutions and private companies, preparing strategies to safeguard information systems and protect digital data is essential.

And this applies to both personal and non-personal data.

On one hand, only the protection of information about natural persons is an obligation under EU Reg. 679/2016 (GDPR), which requires the adoption of adequate security measures to prevent the occurrence of data breaches that may have to be notified to the Data Protection Authority or communicated to data subjects. But, on the other hand, non-personal data are also a business asset, as well as personal data, and protecting them:

  • favors the business continuity and hinders the interruption of the services and the termination of the activities;
  • contributes to defend the company reputation, which is affected when it suffers an attack.

For this reason, in order to make digitalization effective, it is no longer possible to separate the concept of technology from that of cybersecurity.

The legislator is also aware of this, given the increase in norms aimed at improving IT security standards that have followed one another both at European and national level in recent years.

Just think of the European Directive NIS 1148/2016, transposed in Italy by the NIS Decree of 2018 and which will be replaced by the NIS II Directive, whose proposal was published on November 4 last year. The NIS Directive:

  • requires member states to adopt cybersecurity strategy while leaving them free to choose how to implement it;
  • applies to ESOs (Essential Service Operators) in the healthcare, banking and transport sectors and DSPs (Digital Service Providers) in e-commerce, cloud and online search engines.

In the wake of the NIS Directive, the European Regulation called Cybersecurity ACT was issued in 2019, aimed at:

  • create a harmonized framework for certifying the information security of digital products and services;
  • strengthen the role of ENISA (EU Agency for Network and Information Security).

In Italy, on November 20, 2019, the Decree establishing the National Cybersecurity Perimeter was converted into law. It introduces obligations for public and private entities on which the exercise of an essential function of the State depends (i.e., the provision of a service that is essential for the maintenance of activities that are fundamental to the public interests and from whose malfunction, interruption or improper use, harm to national security may result).

The Decree of June 14, 2021 established the Agency for National Cybersecurity, with legal personality under public law, and regulatory, patrimonial, organizational, accounting and financial autonomy, established to protect national interests in the field of cybersecurity and the protection of national security in cyberspace.

It is estimated that by 2026 nearly 26% of the world's GDP could depend on the digital economy. In such a scenario, a focus on the security, resilience and reliability of the IT systems is at the heart of the challenges for the future, and is a key driver of growth not only for developed countries but also for emerging ones.

Avv. Maria Livia Rizzo, Dott. Alessio Grazia

Data Protection
Share