Cybersecurity incidents go beyond simply being technical issues; they also have significant adverse effects on a business's overall success, and can affect an organization's finances and reputation. A small breach, for example, can disrupt a business in several far-reaching ways:
1. A loss of consumer confidence.
2. Regulatory fines imposed for breaching regulations.
3. Operational downtime of the affected business.
4. Damage to an organization's reputation in the marketplace. Analyzing the real costs of these cybersecurity attacks provides insight into the appropriate funding that should go toward preventative measures.
The financial impact of data breaches can be seen in several notable examples:
1. Equifax's Data Breach in 2017 impacted the personal identification information of 147 million U.S. consumers, resulting in approximately $4 billion in total expenses (settlements, credit monitoring, and lawsuits), with its reputation diminished for several years as a direct result.
2. Colonial Pipeline was the victim of a Ransomware Cyberattack that resulted in both a 6-day disruption of business operations and the payment of a $4.4 million ransom (with some of the ransom later recovered). The Economic Impact of the attack was evidenced by the interruption of business operations and fuel shortages.
3. Yahoo suffered a Data Breach that affected 3 billion user accounts over the period of 2013 to 2014. Their acquisition by Verizon was impacted with a reduction in company value of $350 million as a direct consequence of the Data Breach.
4. The NotPetya Attack in 2017 on Maersk disrupted their Global Shipping operations at a cost between $200 and $300 million. The incident also highlighted concerns regarding supply chain vulnerability.
According to an industry report, the costs of cyber incidents to small businesses average $100,000–$500,000, and every incident requires companies to either hire a lawyer to advise them on the legal aspects of the incident, notify their Customers of the incident, and restore their IT system.
Cost Types
1. Financial Costs Direct
Fines, Investigation & Remediation, and Ransom Payments
2. Operational Costs
Downtime, Sales Loss, Supply Chain Disruption
3. Reputational Costs
Customer Trust Loss, Media Attention, Decreased Company Revenue
4. Legal/Regulatory Costs
GDPR Fines, Class Action Lawsuits, Compliance Audits
Ways to Reduce Costs
1. Prevention First
A. Regularly Patch Systems
B. Train Employees to Identify Phishing/Scams
C. Implement Strong Access Control Measures
2. Detection/Response
A. Monitor Network Traffic/User Behavior
B. Perform Penetration Testing/Vulnerability Assessments
C. Develop/Implement Incident Response Procedures
3. Mitigation/Recovery
A. Back Up Data Regularly Off-Site
B. Segment Critical Systems to Minimize Damages
C. Enforce Multi-Factor Authentication Throughout
Realistic Scenario
Imagine a mid-size e-commerce company:
1. Misconfigured web API allowed access to its customer database.
2. Required notification to affected individuals under privacy law.
3. The company spent weeks fixing the problem (team's effort).
4. Customers, as a result, lost faith in the company and cancelled their accounts.
5. Estimated total of loss from remediating the breach, lost revenue from customers who cancelled accounts, and the cost of damage to the company's reputation equals $250,000–$400,000.
A single misstep can create a domino effect causing significant costs.
Key Takeaways
1. The financial impact of data breaches on businesses is often greatly underestimated.
2. Beyond direct monetary losses, breaches have other significant costs such as lost revenue (from downtime), increased employee hours and decreased employee productivity, and damage to the company's reputation.
3. Small and medium-sized businesses are equally vulnerable to the same risks as large enterprises.
4. By developing prevention, monitoring, and response plans, companies can reduce both the likelihood of a breach and the effects if one occurs.
