Our Trusted Partner Protection Group International has written this helpful article on the costs of a cyber attack and how to prepare for an attack.
We’re all used to articles citing eye-watering figures on what a data breach or ransomware attack can cost an organisation; typically figures ranging from thousands through to millions.
But where does that money actually get spent? Not all attacks cost in the millions like some of the high-profile ones, but regardless of the size of business, any unnecessary spend is something we prefer to avoid if we can help it.
Let’s look at some of the statistics:
Of course, not all attacks (e.g., ransomware attack vs. data breach) will have the same outcome (e.g., operational disruption vs. loss of data), but there are some key costs that most organisations won’t be able to avoid.
Here are the key potential cost components you need to factor in when thinking about the impact an attack might have on your organisation.
While larger organisations may have a detection system or even a fully staffed Security Operations Centre in place, sadly, for a lot of businesses (micro, small and medium), it’s most often the case that the symptoms of a cyber incident must be bad enough to impact operations before anyone realises there is a problem.
Regardless, once detected, whether you have an in-house Incident Response team or you have to bring in a third-party, you need specialist skills to handle an incident. That could include not just technical experts to understand the problem and get systems up and running again but other specialists, such as a PR agency to deal with communications. These specialists come at a high price for a reason and more so in emergency situations, and they may be needed for some time before the incident is initially under control (according to IBM’s 2021 report, the average time to identify and contain a breach is about 287 days, up by 7 days from their 2020 report). When calculating this cost, you should consider how much time you might need to engage external specialists for and how you want to manage the incident (e.g., do you want to investigate so you can pursue legal avenues later?). But plan on a day rate of anything between £800 – £1500/day.
And that’s not all. Once you’ve contained the incident and communicated it to your stakeholders, you may then also need a third-party to assess and audit your organisation’s security measures, to ensure there is less likely to be a next time—or if there is, measures are put in place to limit impact.
If your organisation has an Incident Response or Crisis Communications Plan in place, notifying your various stakeholders will be one of the key tasks. Letting customers or subscribers know that their data has been leaked on the dark web, communicating with regulators, and the time in-house teams spend liaising with external specialists all come with costs that can add up. In the big scheme of things, the IBM report noted that these types of costs only accounted for 6% of an overall incident bill; nevertheless, it’s adding to a growing list of expenses.
If your factory floor comes to a complete standstill because your manufacturing equipment is connected to the network that has been hit with ransomware, you won’t be able to supply your customers—unless you have contingency stock and/or your operations are only down for a short period. It’s no surprise that lost business is the largest cost on the cyber incident bill, coming in at up to 40% of the total. Loss of operations can have both short- and long-term ramifications, too; if your customers need to go elsewhere to get what they need, it’s not a certainty that they will come back to you when the incident is over.
Sadly, and somewhat unfairly given the ubiquity of issues such as ransomware, cyber attacks can also impact an organisation’s reputation. This is a difficult cost to calculate but it is ‘a thing’ according to Hiscox, which reports that 15% of respondents who had been hit struggled with exactly this and reported more difficulties in attracting new business.
The costs associated with an attack can continue to arise for a long time, even months or years, after the initial incident. Some of these may include:
According to the 2020 IBM Cost of a data breach report, “Incident Response preparedness was the highest cost saver for businesses”. This trend has continued in 2021, with businesses that have an Incident Response team and have tested their plans seeing a lower average cost if they are breached.
But what does that look like?
Hire (and train) the right people. For those organisations with the resources to invest in any sort of in-house cyber response capability, whether this is a SOC or a designated security incident manager, it’s important to make sure they have relevant skills and are keeping them up to date.
Think ahead. For those who don’t have these resources, it’s important to know who you will talk to if something goes wrong. Outsourcing incident response can be the most cost-effective option, but it will be even more cost effective if you plan ahead and develop a relationship with an external cyber security consultancy when things are running smoothly. This gives their team the opportunity to understand your operations, so they can hit the ground running when they are called. Starting from scratch in the middle of an emergency will invariably take away from time needed for meaningful activity to contain the incident.
Have a plan, test that plan. An incident response plan which sets out how your organisation will respond to a cyber incident—including issues such as technical responses, roles and responsibilities and communications protocols—will greatly reduce the time needed to contain an incident. But something on paper doesn’t always work out when put into action. Think about testing your plan; for example, if you are hit by a ransomware attack, do you know how long it would take to restore your systems from back-up? Have you ever run a tabletop exercise that replicates the conditions of a cyber incident?
Lastly, it’s also helpful if you have a wider understanding of your how your organisation is set up to defend against digital threats. We help a lot of our clients achieve this understanding with a maturity assessment. Our consultants spend time in your business to analyse your cyber security and compliance requirements to establish the effectiveness of the measures you currently have in place. They evaluate whether they align with organisational maturity targets based upon risk appetite, stakeholder expectations, and regulatory/legal requirements. This allows you to build on your existing foundation and only spend money where you need to.
.
Click to Open Code Editor