Our Trusted Partner Protection Group International has written this helpful article on the costs of a cyber attack and how to prepare for an attack.
We’re all used to articles citing eye-watering figures on what a data breach or ransomware attack can cost an organisation; typically figures ranging from thousands through to millions.
But where does that money actually get spent? Not all attacks cost in the millions like some of the high-profile ones, but regardless of the size of business, any unnecessary spend is something we prefer to avoid if we can help it.
Breaking down the costs of a cyber attack
Let’s look at some of the statistics:
39% of businesses report having cyber security breaches or attacks in the last 12 months (DCMS Cyber Security Breaches Survey 2021).
Among that 39%, 21% end up losing money, data or other assets (DCMS, 2021).
35% of businesses report being negatively impacted because they require new post-breach measures, have staff time diverted or suffer wider business disruption (DCMS, 2021).
In the UK, the average cost of all the cyber security breaches these businesses have experienced in the past 12 months is estimated to be £8,460 (DCMS, 2021).
For medium and large firms combined, this average cost is higher, at £13,400 (DCMS, 2021), but according to the 2021 Hiscox Cyber Readiness report, the biggest loss for a single organisation was £15.8 million.
Only 31% have a business continuity plan that covers cyber security (DCMS, 2021).
The average cost per customer personally identifiable information (PII) record, was $180 USD globally (IBM Cost of a Data Breach Report 2021).
Of course, not all attacks (e.g., ransomware attack vs. data breach) will have the same outcome (e.g., operational disruption vs. loss of data), but there are some key costs that most organisations won’t be able to avoid.
Here are the key potential cost components you need to factor in when thinking about the impact an attack might have on your organisation.
While larger organisations may have a detection system or even a fully staffed Security Operations Centre in place, sadly, for a lot of businesses (micro, small and medium), it’s most often the case that the symptoms of a cyber incident must be bad enough to impact operations before anyone realises there is a problem.
Regardless, once detected, whether you have an in-house Incident Response team or you have to bring in a third-party, you need specialist skills to handle an incident. That could include not just technical experts to understand the problem and get systems up and running again but other specialists, such as a PR agency to deal with communications. These specialists come at a high price for a reason and more so in emergency situations, and they may be needed for some time before the incident is initially under control (according to IBM’s 2021 report, the average time to identify and contain a breach is about 287 days, up by 7 days from their 2020 report). When calculating this cost, you should consider how much time you might need to engage external specialists for and how you want to manage the incident (e.g., do you want to investigate so you can pursue legal avenues later?). But plan on a day rate of anything between £800 – £1500/day.
And that’s not all. Once you’ve contained the incident and communicated it to your stakeholders, you may then also need a third-party to assess and audit your organisation’s security measures, to ensure there is less likely to be a next time—or if there is, measures are put in place to limit impact.
If your organisation has an Incident Response or Crisis Communications Plan in place, notifying your various stakeholders will be one of the key tasks. Letting customers or subscribers know that their data has been leaked on the dark web, communicating with regulators, and the time in-house teams spend liaising with external specialists all come with costs that can add up. In the big scheme of things, the IBM report noted that these types of costs only accounted for 6% of an overall incident bill; nevertheless, it’s adding to a growing list of expenses.
Lost business/loss of reputation
If your factory floor comes to a complete standstill because your manufacturing equipment is connected to the network that has been hit with ransomware, you won’t be able to supply your customers—unless you have contingency stock and/or your operations are only down for a short period. It’s no surprise that lost business is the largest cost on the cyber incident bill, coming in at up to 40% of the total. Loss of operations can have both short- and long-term ramifications, too; if your customers need to go elsewhere to get what they need, it’s not a certainty that they will come back to you when the incident is over.
Sadly, and somewhat unfairly given the ubiquity of issues such as ransomware, cyber attacks can also impact an organisation’s reputation. This is a difficult cost to calculate but it is ‘a thing’ according to Hiscox, which reports that 15% of respondents who had been hit struggled with exactly this and reported more difficulties in attracting new business.
Recovery period (or ‘long tail’ costs)
The costs associated with an attack can continue to arise for a long time, even months or years, after the initial incident. Some of these may include:
Communications. Ongoing communication with stakeholders could have a hefty price tag attached, especially if the impact of the breach is severe (e.g., the leak of Personally Identifiable Information).
Reparations. These may be required for customers in the form of credit monitoring, payouts or product discounts. This is about re-building trust with your stakeholders – they will want to know you are making the utmost effort to limit the impact to them. Warner Music Group offered ‘identity monitoring services’ for 12 months to their subscribers.
Legal costs. Of course, these are not unexpected; whether the organisation is prosecuting the persons responsible for a breach/attack or they must respond to class action taken out by stakeholders, like the one Colonial Pipeline is dealing with now.
Regulatory fines. And finally, regulator fines, particularly in highly regulated industries, can be immense. As a well-known example, the ICO fined British Airways £20m (reduced from £183m – 1.5% of the airline’s global turnover in 2017) for breaching the GDPR in 2018.
How to prepare your organisation to minimise the impact of a breach
According to the 2020 IBM Cost of a data breach report, “Incident Response preparedness was the highest cost saver for businesses”. This trend has continued in 2021, with businesses that have an Incident Response team and have tested their plans seeing a lower average cost if they are breached.
But what does that look like?
Hire (and train) the right people. For those organisations with the resources to invest in any sort of in-house cyber response capability, whether this is a SOC or a designated security incident manager, it’s important to make sure they have relevant skills and are keeping them up to date.
Think ahead. For those who don’t have these resources, it’s important to know who you will talk to if something goes wrong. Outsourcing incident response can be the most cost-effective option, but it will be even more cost effective if you plan ahead and develop a relationship with an external cyber security consultancy when things are running smoothly. This gives their team the opportunity to understand your operations, so they can hit the ground running when they are called. Starting from scratch in the middle of an emergency will invariably take away from time needed for meaningful activity to contain the incident.
Have a plan, test that plan. An incident response plan which sets out how your organisation will respond to a cyber incident—including issues such as technical responses, roles and responsibilities and communications protocols—will greatly reduce the time needed to contain an incident. But something on paper doesn’t always work out when put into action. Think about testing your plan; for example, if you are hit by a ransomware attack, do you know how long it would take to restore your systems from back-up? Have you ever run a tabletop exercise that replicates the conditions of a cyber incident?
Understand your security posture
Lastly, it’s also helpful if you have a wider understanding of your how your organisation is set up to defend against digital threats. We help a lot of our clients achieve this understanding with a maturity assessment. Our consultants spend time in your business to analyse your cyber security and compliance requirements to establish the effectiveness of the measures you currently have in place. They evaluate whether they align with organisational maturity targets based upon risk appetite, stakeholder expectations, and regulatory/legal requirements. This allows you to build on your existing foundation and only spend money where you need to.
We welcome new members from businesses and charities across the South West.