Cost of a Cyber Attack; Hype or Reality ?
According to Statista, the average cost of all cyber attacks to firms employing between 250 and 999 people amounted to 133 thousand dollars in 2020. On the other side, Security Intelligence lists the average cost of a data breach as $3.92 million as of 2019. IBM estimates the same.
Where do those numbers come from, and are they relevant to your business? Is it reality or just hype?
We have all witnessed an increase in cyberattacks on all business types, independently of size or industry. The threats are growing and changing quickly, attacking an expanding attack surface. Every time a company adopts new technology, it expands its perimeter or the attack surface. In other words, cybercriminals find new ways through the expanded technological footprint.
Nothing is perfect in this world, including technology products, solutions, applications, and hardware. Nothing comes in with 100% security. This includes cloud technologies as well, where the responsibility to protect data and systems is a shared responsibility.
Snapshot of product vulnerabilities, including OS, application, and hardware
Thus, while businesses are ongoing major digital transformations, embracing new products and applications, cybercriminals are taking advantage and exploiting all possible routes to get in, steal information or disrupt operations. At the same time, companies lack the required maturity and awareness to be prepared and respond.
Follow me on Twitter for further updates; https://twitter.com/m49D4ch3lly
To be prepared, organizations need to acknowledge that it is not a matter of “if” but “when.” While some companies still believe that if they spend an important budget on cybersecurity, it will not happen to them, it is incorrect. Various researches show that advanced persistent threats and organized cybercrime groups spend weeks and months preparing their cyber-attacks and customizing them to their target victims. Cybercriminals are also familiar with traditional security tools and controls, i.e., anti-virus and firewalls, and they can circumvent those controls when they need to with; either a technical attack or a social engineering attack.
Firewall Evasion and Spoofing
Source: nmap.org
Companies need to have a mature incident response plan and understanding of when an incident occurs. This might be a challenge when it comes to major impactful cyber-attacks, like ransomware attacks. Besides, organizations might confuse Service Level Agreements or SLAs with a cyber-incident disruption and cannot differentiate both. An SLA is not usually addressing cyber incidents as those might be unpredictable, and recovery time is different from responding to an incident or starting recovery.
The below identifies various factors to consider following a cyber-incident and helps readers think in-depth about their businesses’ possible implications.
Let us start by defining cyber-attack vs. data breach:
- A data breach is a security incident where personal data is accessed without authorization. Generally, data breaches are also personal data breaches and maybe accidental or malicious.
- A cyber attack is broader than a data breach, is deliberate, and can disrupt business.
The scale and extent of a security incident or a data breach differ from one incident to another. It varies from one company to another. A security incident or data breach can lead to a costly and substantial impact. A quick, careful, and well-organized response can minimize this impact. Thus, not doubtfully, companies without proper preparation and acknowledgment of this fact will be exposed to other effects and might never fully recover.
Source: https://www.jdsupra.com
Companies need to consider various factors to understand the real financial implications or costs and losses when a security incident or a data breach occurs. A security incident might lead to a data breach but might not as well.
In case of a data breach, for example, with the variety of privacy and breach notification laws, the obligations and implications might differ and might cumulate in some instances.
Penalties and fines are the first costs that companies traditionally consider. However, there are other substantial costs. Notification costs might include necessary fees, charges, and expenses incurred to notify individuals, regulatory bodies, and any other involved parties that require so. Following the notification, a company should be prepared to reply to inquiries and other clarification matters or legal consequences. Those activities are cost-related.
Furthermore, the data breach costs might include forensic investigations, with outcomes being an apology, a change in procedures, improvement of security safeguards, and payment of compensation for loss or damage suffered. In Japan, for example, apology money is due. All those factors are directly and indirectly increasing the company’s financial losses following a data breach and are part of a data breach cost.
In case of a successful cyberattack in general, a business might incur significant impacts, i.e., disruption of core systems, corruption of databases, business paralysis, etc. Traditionally, the security incident’ impacts are classified as financial, reputational, and legal. However, if not quantified might lead to a lack of real costs visibility.
The economic costs include financial losses arising from direct and indirect costs and third-party costs. Besides the immediate disruption, employee overtime, communication costs, or direct costs (recovery costs), third-party costs might arise, i.e., forensics costs, notification costs, shares value losses, etc. On a medium timeframe, the result of these happening is the potential loss of customers, loss of sales, and reduction in profits. This might result in market share drop, valuation drop, delay in an initial public offering (IPO), etc.
In a case of a successful cyber-attack involving ransomware, the organization might face business interruption or operations paralysis. While the terms mean that the business cannot operate, the risk or insurance definition is interesting to consider. Business interruption refers to the financial loss a company suffers when its operations are disrupted. This loss includes both visible components, such as reduced sales and increased cost of working, and hidden components, such as loss of future revenue streams due to potential reputational damage. Reputational damage may arise due to an unfavorable change in perception by critical stakeholders of the firm’s ability to manage risks and thus deliver on stated goals and targets. Source: Marsh
In the case of a physical event, the business interruption is clear and straightforward, as shown in Marsh’s excellent visual.
Download the whole paper here.
In our case, with the ransomware attack, the business interruption might occur precisely the same way, but with the triggering event being a cyber-event. Thus, referring back to the cyber attack economic cost, the company should consider the total recovery time. The whole recovery time refers to the entire period that a company’s operations and financials are affected by the disruption, including costs related to market recovery.
As per Comparitech, breached companies underachieve in the market in the long term, developing the business by 8.38% on average over the following year but still trailing the Nasdaq by 6.5%.
Another excellent example from the RSA blog is Target’s data breach in 2013. Target suffered a significant data breach involving the personal information of almost 70 million individuals. This data breach cost was estimated to $252 million.
Following the stock drop, the company needs to recover any market share it might have lost due to the event. The high reputational impact primarily influences the time required to recover, generally leading to a more considerable loss of market share and time spent restarting operations.
In summary, a cyber-attack cost is not just the direct, immediate cost related to a server recovery or IT operation restoration. It is a complex calculation that considers all the business implications. It is the cost of a business risk materializing.
Cyberattacks are unavoidable, but the way businesses are prepared and respond differs. The use of available budgets and resources requires a continuous balance across people, process and technology controls, and a layered defense-in-depth approach. While improving in their cybersecurity journey, organizations need to have further control over a cyber-attack economical cost. Finally, only by understanding the cyber risk financial implications and their integrations in the enterprise risk management process will organizations reduce their risk and the inevitable economic consequences of a cyberattack.
Who am I ?
I am a keynote speaker, a serial entrepreneur and a senior cyber security expert. I am currently leading the cyber business for an international Fortune 500 insurance-broking firm in Asia.
I am a strong activist for women in security, and I founded the Women of Security Singapore Chapter (WoSEC), supporting female professionals in the industry.
I am a member of the Advisory Board for the Executive Summit at Black Hat Asia, and I am the co-founder of Responsible Cyber Pte. Ltd., a Singapore-based start-up with NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as its shareholders. The company has been valued at 7 Million SGD in May 2020.
I have a PhD in Telecommunication Engineering issued by Telecom SudParis and speak fluently 5 languages.
My research topics have been focusing on Cyber Security, the future of localisation and positioning, education and more. My writings around cybersecurity have been featured by IEEE, RSA Conference, CYBERSEC, World Congress on Internet Security (WorldCIS-2016), CYBER RISK LEADERS Magazine, among others.
I speak about cybersecurity in general with a focus on cyber risk management, hacking and diversity and inclusion in the field.
I welcome you to watch some of my insights on Channel News Asia for a Documentary on the Dark Web (at 18:09mn approx): https://www.channelnewsasia.com/news/video-on-demand/the-dark-web
Follow me on Social Media:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly/
- Facebook: https://www.facebook.com/m49d4ch3ly/
- Twitter: https://twitter.com/m49D4ch3lly
- Instagram: https://www.instagram.com/m49d4ch3lly/
