By Mark Gibbs
What Does a Cyber-Attack Really Cost?
A lot more than you might think.
When it comes to thinking about cyber-attacks, many of the folks running businesses are relying on a heavy combination of faith ("it won't happen to us"), reliance on cyber-insurance ("any losses will be covered"), and the unfounded belief that the long-term consequences won't be that bad ("if it does happen, we'll be back in business in no time"). Alas, every single one of those ideas is simply wrong.
Let's start with whether it will happen to your organization. Consider the rise in data breaches since 2005:
While the total number of records exposed in 2016 was the lowest in four years (and remember that only large organizations report breaches and even then, not all of them do so), the total number of breaches shows no sign of diminishing. In other words, more organizations are getting hit and the largest segment of victims now and in the future lies in the SMB and SME world so believing "it probably won't happen to us" is not a good bet to place.
How about relying on that cyber-insurance? Sure, you may have coverage but when your insurer sends in the auditors to figure out the when, why, and how of the attack, you're looking at what will likely be a lengthy investigation (which will delay payment) and if there are any areas of your security that reveal a lack of due care, you could find your claim reduced or even denied ("You didn't change the default password on the firewall?! Sorry, but your policy doesn't cover stupidity.") Thus, while cyber-insurance is great and necessary, don't think having a cyber-insurance policy will make the consequences of a breach any easier or quicker to resolve.
So, let's consider the cost of a breach: According to the Ponemon Institute's 2017 Cost of Data Breach Study sponsored by IBM, every lost or stolen record of confidential data in 2017 in the United States cost, on average, $225. That means that the average total cost to the 63 companies in the study was $7.35 million (in 2013 this was lower at $5.04 million). It's also worth noting that the breaches studied were relatively small; the number of breached records per incident in the 2017 study ranged from 5,563 to 99,500 records.
What the Ponemon study didn't explore were the long-term costs but another recent report, Analysis: How data breaches affect stock market share prices, by Comparitech discovered that breached companies underperform against the NASDAQ by 42% after three years. Amongst their key findings:
- Stocks on average suffer an immediate decrease in share price following a breach of 0.43%, about equal to their average daily volatility
- In the long term, share prices continue to rise on average, but at a much slower pace. We saw a 45.6% increase in share price during three years prior to breach, and only 14.8% growth in the three years after. Daily volatility was about the same for both periods.
- Breached companies tend to underperform the NASDAQ. They recover to the index’s performance level after 38 days on average, but after three years the NASDAQ ultimately outperforms them by a margin of over 40 percent
- More recent breaches had less of a negative impact on share price than older ones
- Finance companies experienced the largest immediate decline in share price directly after a breach, but internet businesses, such as e-commerce and social media companies, suffered the most in the long term
- Larger breaches had less of an impact on share price than smaller breaches
- Breaches of highly sensitive data, such as credit card and social security numbers, had a greater impact on the immediate drop in share price following a breach than companies that leaked less sensitive info, such as email addresses. The sensitivity of breached data had a less clear impact on share price in the long term
The report concludes with:
Two noteworthy factors that we did not cover in this analysis stood out most. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.
The second is financial reports. This would perhaps warrant an entirely separate study. We analyzed the share price starting with the day prior to when a data breach was publicly disclosed. While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.
IBM has a very interesting online model that lets you slice and dice the factors that determine the cost of a breach on either a global or individual country basis.
The takeaway from this is that breaches involve both immediate costs and long-term costs. Moreover, remember all we're talking about are breaches involving confidential records such as medical and financial data. There's another type of threat that will become more common: Cyber-damage, for example, making data inaccessible as we saw with the recent Wannacry ransomware attack that affected over 300,000 Windows installations worldwide.
While it appeared that the Wannacry attack was about ransom to regain access to the victim's data, the vast majority of incursions resulted in useless machines whether or not the ransom was paid. Interestingly, despite the enormous number of infected machines, the people behind the attack only made about $50,000 which implies either the attack was less successful than planned or that the intention all along was to simply cause damage and chaos, something else that will become a common theme in the future (why? For the same reasons that people graffiti walls, trains, buildings, etc. … just because they can and because they can get away with it).
And ransomware attacks aren't slowing down. According to Cybersecurity Ventures, the global cost of ransomware attacks will be over $5 billion this year (up from only $325 million two years ago). Moreover, Cisco's 2017 Annual Cybersecurity Report predicts ransomware is growing at a rate of 350% per year!
So, the bottom line is that there's no doubt the cost and frequency of breaches will increase exponentially over the next few years and in the case of a large-scale attack, cyber-insurance may take longer to pay out (or not pay out at all) than you might think. On top of that, even if and when you've recovered from your immediate losses, there will probably be a long-term financial downside. All of this makes the every breach far more costly than the notional $225 per record. That cost is merely the tip of a financial loss iceberg and if you're not prepared, your business looks a lot like the Titanic.
Next week, job security.
About Mark Gibbs
Mark is the author of four best-selling computer networking book titles and was a syndicated journalist and columnist for 24 years writing for Network World, Computer World, and other IDG publications.