We’re all used to articles citing eye-watering figures on what a data breach or ransomware attack can cost an organisation; typically figures ranging from thousands through to millions.
But where does that money actually get spent? Not all attacks cost in the millions like some of the high-profile ones, but regardless of the size of business, any unnecessary spend is something we prefer to avoid if we can help it.
Let’s look at some of the statistics:
- 32% of businesses (of all sizes) reported having cyber security breaches or attacks in the last 12 months (DSIT Cyber security breaches survey 2023).
- That percentage is much higher when looking specifically at medium businesses (59%) and large businesses (69%).
- According to the 2022 Hiscox Cyber Readiness report, the UK has the lowest number of organisations being attacked (42%) but the a median cost of an attack at £22,049 is almost double what it was in 2021. And the biggest loss for a single organisation was £15.8 million
- Globally, the average cost of a cyber attack has risen to USD 4.45 million in 2023, and has risen 2.3% since 2022, according to IBM’s Cost of a Data Breach Report 2023.
- Those with high levels of Incident Response planning and investments in protection against cyber attacks saved on average USD 1.49 million compared to those organisations with little to no Incident Response planning.
- And, worryingly, according to the Cyber security breaches survey only about 27% of all businesses have a business continuity plan that covers cyber security (down from 31% in 2021).
Cost breakdown
Of course, not all incidents (e.g., ransomware attack vs. data breach) will have the same outcome (e.g., operational disruption vs. loss of data), but there are some key costs that most organisations won’t be able to avoid.
Here are the key potential cost components you need to factor in when thinking about the impact an attack might have on your organisation.
Initial response
While larger organisations may have a detection system or even a fully staffed Security Operations Centre in place, sadly, for a lot of businesses (micro, small and medium), it’s most often the case that the symptoms of a cyber incident must be bad enough to impact operations before anyone realises there is a problem.
Regardless, once detected, whether you have an in-house Incident Response team or you have to bring in a third-party, you need specialist skills to handle an incident. That could include not just technical experts to understand the problem and get systems up and running again but other specialists, such as a PR agency to deal with communications. These specialists come at a high price for a reason and more so in emergency situations, and they may be needed for some time before the incident is initially under control (according to IBM’s 2023 report, the average time to identify and contain a breach is about 277 days). When calculating this cost, you should consider how much time you might need to engage external specialists for and how you want to manage the incident (e.g., do you want to investigate so you can pursue legal avenues later?). But plan on a rate of anything between £800 – £1500/day.
And that’s not all. Once you’ve contained the incident and communicated it to your stakeholders, you may then also need a third-party to assess and audit your organisation’s security measures, to ensure there is less likely to be a next time—or if there is, measures are put in place to limit impact.
Notification
If your organisation has an Incident Response or Crisis Communications Plan in place, notifying your various stakeholders will be one of the key tasks. Letting customers or subscribers know that their data has been leaked on the dark web, communicating with regulators, and the time in-house teams spend liaising with external specialists all come with costs that can add up. The IBM report states that the cost of notifying key stakeholders of an Incident has risen from USD 310,000 to 2022 to USD 370,000 in 2023.
Lost business/loss of reputation
If your factory floor comes to a complete standstill because your manufacturing equipment is connected to the network that has been hit with ransomware, you won’t be able to supply your customers—unless you have contingency stock and/or your operations are only down for a short period. It’s no surprise that lost business is the largest cost on the cyber incident bill, coming in at up to $1.30million on average. Loss of operations can have both short- and long-term ramifications, too; if your customers need to go elsewhere to get what they need, it’s not a certainty that they will come back to you when the incident is over.
Sadly, and somewhat unfairly given the ubiquity of issues such as ransomware, cyber attacks can also impact an organisation’s reputation. This is a difficult cost to calculate but it is ‘a thing’ according to Hiscox, which reports that 27% of respondents who had been hit struggled with exactly this and reported more difficulties in attracting new business.
Recovery period (or ‘long tail’ costs)
The costs associated with an attack can continue to arise for a long time, even months or years, after the initial incident. Some of these may include:
- Communications. Ongoing communication with stakeholders could have a hefty price tag attached, especially if the impact of the breach is severe (e.g., the leak of Personally Identifiable Information).
- Reparations. These may be required for customers in the form of credit monitoring, payouts or product discounts. This is about re-building trust with your stakeholders – they will want to know you are making the utmost effort to limit the impact to them. Warner Music Group, for example, offered ‘identity monitoring services’ for 12 months to their subscribers.
- Legal costs. Of course, these are not unexpected; whether the organisation is prosecuting the persons responsible for a breach/attack or they must respond to class action taken out by stakeholders.
- Regulatory fines. And finally, regulator fines, particularly in highly regulated industries, can be immense. As a well-known example, the ICO fined British Airways £20m (reduced from £183m – 1.5% of the airline’s global turnover in 2017) for breaching the GDPR in 2018.
How to prepare your organisation to minimise the impact of a breach
According to the 2020 IBM Cost of a data breach report, “Incident Response preparedness was the highest cost saver for businesses”. This trend has continued in 2023, with businesses that have an Incident Response team and have tested their plans seeing a lower average cost if they are breached.
But what does that look like?
Hire (and train) the right people. For those organisations with the resources to invest in any sort of in-house cyber response capability—whether this is a SOC or a designated security incident manager—it’s important to make sure they have relevant skills and are keeping them up to date.
Think ahead. For those who don’t have these resources, it’s important to know who you will talk to if something goes wrong. Outsourcing incident response can be the most cost-effective option, but it will be even more cost effective if you plan ahead and develop a relationship with an external cyber security consultancy when things are running smoothly. This gives their team the opportunity to understand your operations, so they can hit the ground running when they are called. Starting from scratch in the middle of an emergency will invariably take away from time needed for meaningful activity to contain the incident.
Have a plan, test that plan. An incident response plan which sets out how your organisation will respond to a cyber incident—including issues such as technical responses, roles and responsibilities and communications protocols—will greatly reduce the time needed to contain an incident. But something on paper doesn’t always work out when put into action. Think about testing your plan; for example, if you are hit by a ransomware attack, do you know how long it would take to restore your systems from a back-up? Have you ever run a tabletop exercise that replicates the conditions of a cyber incident?
Understand your security posture
Lastly, it’s also helpful if you have a wider understanding of your how your organisation is set up to defend against digital threats. We help a lot of our clients achieve this understanding with a maturity assessment. Our consultants spend time in your business to analyse your cyber security and compliance requirements to establish the effectiveness of the measures you currently have in place. They evaluate whether they align with organisational maturity targets based upon risk appetite, stakeholder expectations, and regulatory/legal requirements. This allows you to build on your existing foundation and only spend money where you need to.
Talk to us about minimising the cost of a breach
“Plan for what is difficult while it is easy, do what is great while it is small.”
Sun Tsu, The Art of War
There are so may quotable quotes about preparation, perhaps because it’s something we so often neglect. But in relation to a cyber security incident, preparation may well mean the difference between survival and failure for many organisations, in the event that the worst happens.
Contact us for an obligation free conversation around your current security measures and what your organisation needs to consider.
Insights
From predictions to reality: Digital safety in a year of change
We began this year knowing it was going to be a significant year for digital risk and digital safety. An unprecedented number of elections, brand new online safety legislation under implementation – all taking place against a backdrop of both existing and new conflict and war.
Trust & Safety: A look ahead to 2025
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
Lies, damned lies, and AI - Digital Threat Digest
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.