When hackers first began weaponizing the Internet, the cybercrimes that followed were often described as victimless crimes. As soon as personal data began to be stolen and worse large sums of money been stolen in a variety of ways, no longer could the crime be regarded as victimless. Data and funds now needed protection, meaning individuals and companies had to pay for professional protection services, be it software or a full team of security professionals monitoring large networks.
As soon as victims began losing money, it was clear that it was not just the immediate loss they suffered, but other costs needed to be accounted for as a loss. Terms like direct losses, indirect losses, and intangible losses were used to describe the horrific impact of a breach. For many companies, when servers are offline, operations are severely limited, resulting in extensive downtime. This in turn results in lost revenue. Further, staff still needs to be paid despite production and productivity taking a hit. Again, this accrues financial losses. This brief example shows that costs associated with cybercrime tend to increase drastically as a result of knock on consequences that only really become apparent once the dust settles. In this article, we will look at the true cost suffered by victims following a major data breach or ransomware attack.
The Question of Calculation
To place things in perspective, Statista determined that the average cost suffered by a victim for a major data in the US to be 9.48 million USD. The cost associated with experiencing such a major incident have risen year-on-year consistently since 2012. How do researchers, academics, and actuaries come to such a phenomenal number?
Those of us with a skeptical streak will say the number is generated to invoke fear and make companies spend too much on cyber security software and services. This argument would be valid, if underreporting of cyber security incidents wasn’t a reality. Another factor skeptics might turn to, arguing against such a figure’s accuracy, is the method of calculation. This argument is a double-edged sword, that goes against the skeptics’ conclusion somewhat.
In a recent report published by McKinsey titled ‘Financial crime and fraud in the age of cybersecurity’ which explored the impacts of cyber driven financial fraud and crime’s impact predominantly on banks, it was discovered that banks take a very conservative calculating approach to financial losses suffered. There are numerous reasons, both practical and speculative, as to why such figures are calculated in such a conservative way, that always leaves the true cost of incidents much higher, but McKinsey researchers determined that banks calculated costs by only looking at factors considered to be direct and indirect individual costs and direct fraud losses when calculated the losses suffered following an incident. Researchers argue that indirect costs considered forgone revenue and regulatory fines tend to be ignored in the banks that were analyzed. The ignored factors can result in losses far greater than the factors considered.
While the McKinsey report focuses on financial institutions, and other industries in separate economic sectors will calculate losses differently, the research highlights the that how losses are calculated is much to be desired. The $9.46 million USD estimated by Statista is likely far higher in reality, given the financial sector’s method of discovering losses, and it is likely other industries adopt similar calculation methods.
Financial Impact and Business Size
While determining how to calculate losses has been shown to be somewhat of a quagmire reliant on interpretation rather of data, what is not in dispute is that there is a financial impact suffered and this varies depending on the size of the business. In this regard, research conducted by the European Union showed a dramatic increase in attacks against SMEs, this resulted in smaller organizations experiencing a higher proportion of cost suffered in relation to cybercrime. Researchers stated,
“…smaller organizations tend to experience a higher proportion of cybercrime costs resulting from web-based attacks, malware, phishing, social engineering attacks and stolen devices. Larger organizations, in contrast, experience a higher proportion of costs relating to malicious insiders, malicious code and denial of services. While big enterprises incur the highest costs in nominal terms, the situation in Germany and the UK shows that the financial impact of cyberattacks is disproportionately high for the smallest enterprises.”
And,
“…in the case of Germany, for example, the average cost of a cybersecurity incident for the smallest enterprises is almost half the average for the largest organisations…”
For SMEs, it is often not lack of awareness of cyber threats, but the perceived extra cost of securing their digital infrastructure that is a stumbling block to rapid security technology adoption. Seeing that the costs of an incident have the potential to negatively impact SMEs more than larger corporations, as determined by the European Union, much must be done to remove this stumbling block for the betterment of the ecosystem as a whole. This perceived extra cost might not be just perception, in the same study it was noted,
“In proportion to their size and income, the investments required to obtain reasonable levels of cybersecurity can be as much as double compared to investments of larger organizations…As a result, many small companies are unable to grasp completely the scope and risks of cybercrime, and are only able to protect themselves against truly existential threats by means of relatively basic controls.”
Ramifications of the Regulatory Type
The regulatory landscape surrounding data protection is becoming increasingly stringent. Enterprises, especially in healthcare, are subject to a myriad of regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Further, ecommerce companies also need to comply with a host of regulations and best practices. Non-compliance with these regulations post-breach can result in hefty fines and legal penalties, further escalating the financial strain. It is crucial for businesses to invest in compliance initiatives, ensuring that they meet the necessary regulatory requirements to avoid additional financial liabilities.
The Intangibles
Beyond the tangible financial losses, security breaches also incur intangible costs that are equally impactful. Employee morale suffers in the aftermath of a breach due to increased stress, uncertainty, and potential job losses. The internal chaos can lead to a decline in productivity, hindering day-to-day operations. Moreover, the erosion of customer trust and brand reputation can have a lasting impact on the organization’s market standing. Rebuilding these intangible assets requires significant investments in public relations campaigns, customer education initiatives, and brand-rebuilding strategies, all of which contribute to the overall financial burden.
Threat Landscape Realities
So far, this article has painted a pretty bleak picture, especially for those who operate a small to medium business. Not only is it difficult to calculate the actual losses, be they direct losses, regulatory fines, and the even trickier indirect losses, but it is clear SMEs suffer more when struck by an incident than larger corporations who tend to have deeper pockets.
In the wake of this reality, companies have turned to cybersecurity insurance policies. However, premiums for cybersecurity insurance policies have surged due to the rising frequency and severity of cyberattacks. Additionally, coverage limitations and deductibles can substantially impact the out-of-pocket expenses incurred by businesses, often taking said business by surprise. Such policies require an in depth understanding of the terms and conditions of insurance policies is paramount, as inadequate coverage can leave enterprises exposed to significant financial losses despite having insurance in place. Again, the picture is pretty bleak, but there is hope.
The following approaches can help safeguard your business, better:
1) Assess your information assets and risks (risk assessment)
2) Harden your network and essential data assets by changing default usernames and employing stronger passwords.
3) Regularly update device definitions and patches for anti-virus, firewall, system software, and mobile device management (MDM) assets.
4) Choose technologies and safeguards that fit your business strategy and risk appetite.
5) Create a thorough third-party and vendor management review program.
6) Regularly assess application, network, web, and API security.
7) Regularly train security- and social-engineering awareness.
8) Cybersecurity insurance is not an option anymore, it is essential today.
9) Use firewall information networks for real-time monitoring.
10) C-Level Executives and upper-level management should regularly discuss , participate and help execute the cybersecurity strategy for your organization.
Conclusion
Recent technological advancements which are now accessible to SMEs and for a cost nowhere near as damaging as an incident, are the best defense. Technologies such as artificial intelligence-driven threat detection, blockchain for secure transactions, and advanced encryption methods becomes imperative. These innovations not only bolster security but also position the business as a forward-thinking, reliable partner in the eyes of clients and stakeholders, and can reduce insurance premiums. That being said, staying ahead of cybercriminals requires continuous investments, adding to the long-term financial commitments of the organization.
Cybercrime will certainly remain a major threat for years to come. Cybercrime risks are estimated at approximately $11.5 trillion in worldwide value from 2019-2023E, posing a problem for businesses and investors.