Cyberattacks cost companies at least 2 billion euros in 2022

Cyberattacks have become one of the top security concerns for businesses all over the world. Because the attacks have multiplied in recent years and are increasingly difficult to counter as hackers become more professional. SMEs, ETIs, large companies, public service… all sectors are concerned.

In 2022 alone, successful (proven) cyberattacks cost French companies no less than 2 billion euros (ETIs, large companies and administrations), not counting the expenses incurred for prevention upstream to secure data and train the teams, reveals a study by the Asterès firm published on Tuesday.

A figure surely very underestimated, because many business leaders do not want to declare the attacks they have faced, for fear of damaging the reputation of their organization. Witness the figures of the ANSSI (National Agency for the Security of Information Systems): 831 attacks have been declared to the agency, and it is estimated that this number represents only 0.2% of the reality.

SMEs on the front line

Unsurprisingly, SMBs are the most affected by successful attacks. A “successful attack” is defined as a proven intrusion that has had an operational or financial impact for an organization. In 2022, “among the 347,000 successful cyberattacks affecting businesses, 330,000 concern SMEs”, details the Asterès report.

The reasons for this targeting are quite clear: SMEs are less prepared for cyber risks and have less money to spend to warn them. “These medium-sized companies do not necessarily have an IT department to prevent risks, and also lack personnel to manage prevention and attacks”, explains Sylvie Roche, director of CRIP (Club of IT infrastructure, technology and production managers ) – which represents more than 350 companies, large accounts and administrations.

Payment of ransoms

The report estimates that nearly 400,000 cyberattacks were successful last year, or 1.8 per organization. The average cost of an attack is 59,000 euros on average, but the reality is much more variable depending on the type of intrusion and company. This estimate covers the direct cost of the attack (the resolution of the crisis by internal and external teams), the amount of the ransom paid, as well as the loss of productivity directly linked to the attack, the resolution of which can sometimes take up to several weeks.

Corporations are fighting tightly-knit pirate organizations that are getting better and better organized

Sylvie roche Director of CRIP

Nearly three-quarters of companies that experienced at least one successful attack were reached through “phishing” or “spear phishing” campaigns, i.e. via fraudulent emails or online scams. The second most common type of attack is the exploitation of a vulnerability in the company’s information systems.

It is clear that in many cases, companies targeted by cyberattacks are forced to pay the ransom demanded by hackers. “Companies are fighting highly structured pirate organizations that are getting better and better organized. Many pay the demanded ransom because it is sometimes cheaper than completely rebuilding an IT system,” laments Sylvie Roche. Similarly, paying a ransom can sometimes stop a cyberattack faster than resolving the intrusion internally, which can sometimes significantly affect the production of the company.