We’re going to be upfront here. There is a lot of talking around the question of cybersecurity costs in the IT industry. There are many valid reasons for this, including the fact that companies hit by hackers often want to keep as much of the impact under wraps as possible.
Those reasons are not the issue, though. You need to know the numbers and how cyberattack costs can add up. So, let’s get into it.
Let’s start by looking at the research and stats that are currently available. According to the National Cyber Security Alliance, the average payout for a ransomware attack (which is just one type of cyberattack) is now $177,000.
A report by NetDiligence highlights a similar figure for the average ransomware payout. However, its report finds the total cost of dealing with a ransomware attack (paying the ransom and other associated costs) is much higher at $275k. Sumo Logic, meanwhile, puts the average cost of ransomware attacks at $133,000.
Insights can also be found in IBM’s Cost of a Data Breach report. The 2021 version of the report put the average cost of a data breach globally at $4.24m (the figure is even higher looking at the US only). Around 38 percent of this cost is accounted for in lost business, with the rest made up of detection, escalation, and post-breach response.
The above IBM research uses an “average per record cost” to complete some of the calculations. We can also use this figure to get an idea of what it might cost your business if you suffer this specific type of cyberattack, i.e. a data breach. A data breach could include customer, employee, and other personal contact data.
According to the IBM report, the average cost per record of a data breach in 2021 was $161. If you have a data breach that impacts 5,000 customer records, as an example, you can expect the cost to your business to be in the region of $800k.
Rokenbok Education is one such example (Rokenbok Education is now known as Kid Spark Education). It provides mobile STEM labs and other educational solutions for schools. It suffered a Ransomware attack that resulted in the company losing thousands of dollars in sales. It didn’t pay the ransom, but it lost the sales as it was offline for four days while it got its systems operational again.
Most small businesses want to keep the information about a cyberattack quiet to avoid bad publicity and prevent other hackers from trying another attack. There are other examples, though, including a story on the Verizon blog about a business that asked to remain anonymous. The company, a family-run electronics business, was attacked by hackers who started collecting the data of its credit card customers, using that data to make purchases. The company ended up with a six-figure fine.
How much a cyberattack will cost your business depends on a range of variables, including the size of your company, the type of attack, the practical impact of the attack, and how costs are calculated. That latter point is important, as Deloitte says a lot of the focus when assessing the average cost of a cyberattack is restricted to things like credit monitoring, fines, and customer notification costs.
Costs like average ransomware payments are reasonably straightforward to find, too, and data breaches are becoming easier to evaluate, since there is now broad consensus on the cost per record of a data breach.
However, there are lots of other costs that often remain hidden. We’ve included both the visible and less visible costs of a cyberattack in the list below.
Downtime in your business costs time and money. The reality is that dealing with a cyberattack often involves a complete shutdown of operations, whether instigated by you as you investigate and resolve the issue, or instigated by the attackers as leverage.
These costs stack up every minute you are not able to properly trade. The problem doesn’t completely go away when you start to come back online again, either, as the move back to normal trading is likely to be gradual. In other words, a proportion of downtime costs will continue until you are fully up and running.
Remediation costs can be difficult to quantify until you experience them directly, but they can include everything from IT costs to remediate systems, to the cost of diverting resources between business units, to costs for the repair of facilities damaged as a result of the cyberattack.
Cyberattacks can result in a loss of trust and loyalty with customers, negative reviews online, and negative mentions on social media, as well as the still highly significant negative word of mouth. This reputational damage can then result in a drop in sales and lost customers that can be difficult, expensive, and time-consuming to recover from.
Regulations are still evolving in this area, but they shouldn’t be underestimated. If you have customers in Europe, for example, those customers are protected under the EU’s GDPR regulations. Fines at the lower severity scale under those regulations can be up to around $12m, or two percent of global revenues, whichever is higher.
California also has privacy laws that can result in fines of up to $7,500 per individual violation. As an example, failing to include a cookie banner could be a breach of California’s privacy regulations in some situations. However, this doesn’t just represent a single violation of the law and one fine. Every time someone visits your site is another individual violation, so you can see how the fines can add up.
Even though these regulations don’t specifically apply to your business in Oregon, they are an indication of where the regulatory landscape could be going. A report in the New York Times, for example, says Colorado and Virginia have similar privacy rules to California, while at least four other states are in the advanced stages of introducing their own legislation.
Customers can lose confidence in your business as a result of a cyberattack. This can occur because they are directly affected by disruption to the services or products you supply. Your customers may even be caught up in the actual cyberattack, like in the example above. This situation can also involve additional costs, including the cost of lawsuits from clients whose data you didn’t protect.
The full impact of lost business and customers is not always immediately apparent, as customers can move away over time, while you might find it hard to bring new customers on board.
Cyberattacks can negatively impact your credit rating, causing your rating to drop, making it more costly to raise new debt or refinance existing debt.
There isn’t much research available in this area, but Deloitte reports that companies have faced increases in cyber insurance premiums by as much as 200 percent following a cyberattack. These increases are often accompanied by new restrictions and requirements that can also incur additional costs.
Many companies lose key employees as a result of a cyberattack, plus you might find it difficult to recruit new employees, at least in the short term.
Getting legal advice and support following a cyberattack is usually essential. There will be a cost for this advice and support, with the fees typically increasing with the severity or complexity of the attack.
Cyberattacks can result in canceled contracts where the financial impact is immediate. There might even be penalties you need to pay. It goes deeper than this, though, as potential future contracts might be impacted by the cyberattack, at least in the short term.
Cyberattacks can result in intellectual property rights being breached, such as through the exposure of trade secrets or other confidential information. This is an intangible cost but, depending on your business, it can be significant, particularly if it impacts competitiveness.
The cost of a cyberattack can be crippling for businesses of just about any size. The best approach is prevention, i.e. investing now to minimize the risk of a cyberattack in your company. There is too much at stake to take any other approach.
Training your team on cybersecurity risks, ensuring you have recurring off-site backups of your data, and keeping software and systems up to date are some of the things that you should be doing now and on an ongoing basis.
Support is available. At StepUP IT, for example, we have a Security Plan that will provide an immediate boost to your level of cybersecurity. Find out more today.
Maybe you think your business is too small for an MSP, but nothing could be further from the truth. MSPs can help companies of all sizes with cloud computing, data storage and security, software and hardware maintenance and upgrades, and much more. Yes, even the smallest small businesses, including those with 50 or fewer users.
Leading an IT team is a tough, multi-faceted job, and no one understands that better than an MSP (managed services provider). An MSP is a tech partner that works with you to handle everyday IT tasks and can help you ensure that the changing nature of technology doesn’t leave your business behind.
Whether you’ve got 10 or 100 employees, a managed services provider can keep your IT on track and your business running smoothly. Even companies in the 250-300 user range, just toeing the line into enterprise-level tech solutions, can enjoy all the benefits of an MSP.
An IT generalist is a jack-of-all-trades. They’re by your side every day to manage your help desk, support your staff’s IT needs, deliver service and maintenance, and be network administrators who ensure everything is working as intended. On the other hand, an IT specialist works on more complex technology issues, such as projects and escalations. IT specialists also often take on the role of solutions architects.
Getting your outsourced IT services from an IT Services company seems like an obvious choice. You have someone you can call when things go sideways to help you get your technology back up and running. An MSP, or managed service provider, is a type of outsourced IT, but not all outsourced IT companies are MSPs. We’re going to break down the differences even further.
Between inflation, supply chain interruptions, and the looming possibility of yet another recession, it can be difficult for business leaders to chart the best course of action to keep themselves not just solvent, but thriving and growing in the face of such economic uncertainty. One way that businesses can make themselves more recession-proof is by having a solid IT structure in place, including software, hardware, security, data storage, and IT experts, to help everything run efficiently and effectively
Many businesses are turning to outside IT professionals to help them optimize their operations and keep their technology running smoothly and efficiently through strategic planning. A vCIO, or virtual Chief Information Officer, can be the key to streamlining IT functionality for your business.
There are outsourced IT services, and then there are MSPs—managed service providers. Managed service providers are outsourced IT companies, but not all outsourced IT companies are MSPs. Managed service providers are local businesses and, more importantly, local to your business.
Onboarding new staff members can be both exciting and nerve-wracking. While it symbolizes growth and new opportunities for your organization, it’s crucial to implement the necessary measures to guarantee a secure and seamless integration.
Since 2001, StepUP IT Services has been helping businesses in Eugene and throughout Oregon with their technology needs. We are your IT partner. We manage and maintain your technology, empowering your organization to reach its goals. Making you happy is what makes us happy.
228 Grimes St. Eugene, OR 97402
Proud member of the
Business Hours: Monday – Friday 7am-5pm PST
Contact us by phone at (541) 683-5000 for afterhours support.
Office closed for New Year’s, Memorial Day, Independence Day, Labor day, Thanksgiving, and Christmas
© 2021-2023 All rights reserved
