There is no simple answer. When asked to quantify the cost of a breach, security experts will take one of two paths: they will 1) Choose to calculate the breach cost (which sends them down a complicated path), or 2) Decline to calculate.
Remember what happened to Lincolnshire County Council in the UK in 2016? At this time, 300 endpoints were infected resulting in four days of downtime. From the Lincolnshire County Council’s own report on the attack, they stated, “In spite of the growing threat, loss of IT through cyber attack does not currently feature as a strategic risk. More recent corporate business continuity planning has concentrated on the inter-dependencies between the loss of premises, or power, and the provision of IT services but not on the vulnerability of our services to prolonged and complete loss of systems through malicious act.” If the Board doesn’t understand the risks, how can they understand the cost of a breach? Here are some important considerations to keep in mind while discussing the importance of calculating the cost of a breach with your Board:
- Cyber risk impacts can spread far and wide. I find that the London Holborn fire back in 2015 is a good way of illustrating how easy it is to underestimate risks. It was an underground fire beneath a street, not a fire in our building or a neighboring building. The event wasn’t even on our street, yet power was cut for nearly a week. It took out nearly a quarter of a square mile of the West End of London, affecting over 3,000 properties, shutting theaters and businesses as their power contingency plans were overwhelmed. Calculating the cost of a potential breach can help prevent underestimating the risks it can bring.
- The GDPR legislation changes how we view breaches and risks due to the addition of potential fines for issues stemming from suppliers and service providers that handle our data. As well as defending against cyber attacks, operators are also need to investigate a breach, understand the full impact and take steps to contact those affected. All of these systems and processes have an associated cost for which to account. The addition of some of these more recent legislation is another good reason to start calculating the cost of data breaches.
- Every company is different. The multidimensional nature of what a company can potentially lose from a breach plays into the understanding the cost of a breach. Any downtime as a result of a breach and the resulting revenue loss is typically minor compared to the loss of reputation that could be incurred if client data falls into the wrong hands. This could mean lost contracts and renewals, degraded customer sentiment, as well as regulatory fines. Therefore, your company may have its own very specific factors that can play a crucial role in cost calculations of a potential cyber threat.
Back to the original question of ‘How much does a cyber breach cost an organization?’ Unless you are an expert on risks calculations and have access to a full up-to-date audit of all your computer systems and services, you are taking an educated guess at best. At worst, you are just making up numbers. Either way, you don’t want to find out the hard way how much a cyber breach will cost. Starting out by getting your Board on board with this idea is the right way to go.
About the author:
Nick Ioannou is an IT professional, blogger, author, and public speaker on cloud and security issues, with over 20 years’ corporate experience. He started blogging in 2012 on free IT resources (http://nick-ioannou.com) currently with over 400+ posts. Author of ‘Internet Security Fundamentals’ and ‘A Practical Guide to Cyber Security for Small Businesses’ as well as contributing author of two ‘Managing Cybersecurity Risk’ books and ‘Conquer The Web’ by Legend Business Books.