While the impacts of a cyberattack will be felt differently by small and large businesses, the damage caused by a breach can create a significant dent in a business’ bottom line, no matter its size.
The average security breach on a small business will cost about US$38,000, according to a study from Kaspersky Lab. The amount includes the costs of downtime, lost business opportunities and the services the company will need to hire to mitigate the cyber security breach. Small businesses pay, on average, about $10,000 in professional services, including the hiring of IT security and risk management consultants, lawyers, auditors, accountants and public relations consultants.
Downtime costs for smallish businesses hover around $23,000 and lost business opportunities about $5,000. Many of the victims will spend about $8,000 trying to ensure a similar incident doesn’t happen again with investments in new staff members, cybersecurity training for existing employees and making upgrades to its IT infrastructure.
The impact is even more costly to larger businesses, where the average cybersecurity breach costs about $825,000.
The study found that malware attacks are the most prevalent type of cyberattack. Other common categories include phishing attacks and accidental data leaks by employees.
Despite the potentially crippling financial impact of such attacks, many businesses aren’t making cybersecurity a top priority. Only 50% of the IT professionals surveyed list prevention of security breaches as one of their major concerns.
Evaluating the “Hidden” Costs of a Cyber Attack
Common perceptions, however, are mostly shaped by what companies are required to report publicly, such as the theft of personally identifiable information (PII), payment data, and personal health information (PHI). Costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. Today, the industry is converging on a “cost per record” calculation for consumer data breaches.
Cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure, however, are rarely brought into view. These attacks can have a more significant impact and lead to additional costs that are more difficult to quantify.
Given the impact and prevalence of cybersecurity breaches, executives must be aware not only of direct impact costs to their businesses, but also the number of hidden costs associated with a cybersecurity breach.
Insurance premium increases. Insurance premium increases are the additional costs an insured entity might incur to purchase or renew cyber risk insurance policies following a cyber incident. Influencing factors on future costs may include: a willingness to provide in-depth information by the policyholder upon review of the incident; the entity’s plan to improve incident handling and other facets of its security program; anticipated litigation; and assumptions concerning the policyholder’s level of cybersecurity “maturity.”
Increased borrowing costs. As a result of a drop in credit rating, the victim organization faces higher interest rates for borrowed capital, either when raising debt or renegotiating existing debt because they are perceived as higher-risk borrowers following a cybersecurity incident.
Operational disruptions or destruction. This is a highly variable cost category that includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities. Cyber attack victims will need to repair equipment and facilities, build temporary infrastructure, divert resources, or increase existing resources to replace systems that have been shut down.
Customer relationship losses. Immediately following a breach, it can be difficult for an organization to quantify how many customers have been lost. Economists and marketing teams approach this challenge by attaching a “value” to each customer to quantify how much the business must invest to reacquire particular customers.
Value of lost contract revenue. Value of lost contract revenue includes revenue, income loss, and lost future opportunities associated with contracts that are terminated following a cyber incident.
Devaluation of trade name. A brand name is associated with the name of a specific company or a specific product, whereas a trade name relates to an organization as a whole. To determine a cyber incident’s financial impact to the value of a company’s trade name, the likely value of the trade name both before and after the cyber incident has to be assessed.
Loss of intellectual property. Loss of IP is an intangible cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information that can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. Types of IP include, but are not limited to, patents, designs, copyrights, trademarks, and trade secrets.
Cyber Attacks Cause More Than Just Financial Pain
A business’ success depends heavily on its reputation and perception in the marketplace, and the value it delivers in the long-term. Cyber attacks cause damage that cut deeper than dollars and cents: mitigating an attack’s impact requires a focus on managing risks and vulnerability to cyber attackers to ensure your business’ reputation remains intact.
There are many ways a cyberattack can affect – and cost – an organization, and the impacts will vary depending on the nature and severity of the event. And no business is immune.