We’re going to be upfront here. There is a lot of talking around the question of cybersecurity costs in the IT industry. There are many valid reasons for this, including the fact that companies hit by hackers often want to keep as much of the impact under wraps as possible.
Those reasons are not the issue, though. You need to know the numbers and how cyberattack costs can add up. So, let’s get into it.
Looking at the Numbers
Let’s start by looking at the research and stats that are currently available. According to the National Cyber Security Alliance, the average payout for a ransomware attack (which is just one type of cyberattack) is now $177,000.
A report by NetDiligence highlights a similar figure for the average ransomware payout. However, its report finds the total cost of dealing with a ransomware attack (paying the ransom and other associated costs) is much higher at $275k. Sumo Logic, meanwhile, puts the average cost of ransomware attacks at $133,000.
Insights can also be found in IBM’s Cost of a Data Breach report. The 2021 version of the report put the average cost of a data breach globally at $4.24m (the figure is even higher looking at the US only). Around 38 percent of this cost is accounted for in lost business, with the rest made up of detection, escalation, and post-breach response.
The above IBM research uses an “average per record cost” to complete some of the calculations. We can also use this figure to get an idea of what it might cost your business if you suffer this specific type of cyberattack, i.e. a data breach. A data breach could include customer, employee, and other personal contact data.
According to the IBM report, the average cost per record of a data breach in 2021 was $161. If you have a data breach that impacts 5,000 customer records, as an example, you can expect the cost to your business to be in the region of $800k.
Real-World Examples
Rokenbok Education is one such example (Rokenbok Education is now known as Kid Spark Education). It provides mobile STEM labs and other educational solutions for schools. It suffered a Ransomware attack that resulted in the company losing thousands of dollars in sales. It didn’t pay the ransom, but it lost the sales as it was offline for four days while it got its systems operational again.
Most small businesses want to keep the information about a cyberattack quiet to avoid bad publicity and prevent other hackers from trying another attack. There are other examples, though, including a story on the Verizon blog about a business that asked to remain anonymous. The company, a family-run electronics business, was attacked by hackers who started collecting the data of its credit card customers, using that data to make purchases. The company ended up with a six-figure fine.
The Costs You Will Incur as a Result of a Cyberattack on Your Business
How much a cyberattack will cost your business depends on a range of variables, including the size of your company, the type of attack, the practical impact of the attack, and how costs are calculated. That latter point is important, as Deloitte says a lot of the focus when assessing the average cost of a cyberattack is restricted to things like credit monitoring, fines, and customer notification costs.
Costs like average ransomware payments are reasonably straightforward to find, too, and data breaches are becoming easier to evaluate, since there is now broad consensus on the cost per record of a data breach.
However, there are lots of other costs that often remain hidden. We’ve included both the visible and less visible costs of a cyberattack in the list below.
Operational Downtime
Downtime in your business costs time and money. The reality is that dealing with a cyberattack often involves a complete shutdown of operations, whether instigated by you as you investigate and resolve the issue, or instigated by the attackers as leverage.
These costs stack up every minute you are not able to properly trade. The problem doesn’t completely go away when you start to come back online again, either, as the move back to normal trading is likely to be gradual. In other words, a proportion of downtime costs will continue until you are fully up and running.
Remediation Costs
Remediation costs can be difficult to quantify until you experience them directly, but they can include everything from IT costs to remediate systems, to the cost of diverting resources between business units, to costs for the repair of facilities damaged as a result of the cyberattack.
Reputational Damage
Cyberattacks can result in a loss of trust and loyalty with customers, negative reviews online, and negative mentions on social media, as well as the still highly significant negative word of mouth. This reputational damage can then result in a drop in sales and lost customers that can be difficult, expensive, and time-consuming to recover from.
Regulatory Costs
Regulations are still evolving in this area, but they shouldn’t be underestimated. If you have customers in Europe, for example, those customers are protected under the EU’s GDPR regulations. Fines at the lower severity scale under those regulations can be up to around $12m, or two percent of global revenues, whichever is higher.
California also has privacy laws that can result in fines of up to $7,500 per individual violation. As an example, failing to include a cookie banner could be a breach of California’s privacy regulations in some situations. However, this doesn’t just represent a single violation of the law and one fine. Every time someone visits your site is another individual violation, so you can see how the fines can add up.
Even though these regulations don’t specifically apply to your business in Oregon, they are an indication of where the regulatory landscape could be going. A report in the New York Times, for example, says Colorado and Virginia have similar privacy rules to California, while at least four other states are in the advanced stages of introducing their own legislation.
Lost Business and Customers
Customers can lose confidence in your business as a result of a cyberattack. This can occur because they are directly affected by disruption to the services or products you supply. Your customers may even be caught up in the actual cyberattack, like in the example above. This situation can also involve additional costs, including the cost of lawsuits from clients whose data you didn’t protect.
The full impact of lost business and customers is not always immediately apparent, as customers can move away over time, while you might find it hard to bring new customers on board.
Increased Debt Costs
Cyberattacks can negatively impact your credit rating, causing your rating to drop, making it more costly to raise new debt or refinance existing debt.
Increase in Cyber Insurance Costs (or not being able to get insurance again)
There isn’t much research available in this area, but Deloitte reports that companies have faced increases in cyber insurance premiums by as much as 200 percent following a cyberattack. These increases are often accompanied by new restrictions and requirements that can also incur additional costs.
Loss of Employees
Many companies lose key employees as a result of a cyberattack, plus you might find it difficult to recruit new employees, at least in the short term.
Legal Costs
Getting legal advice and support following a cyberattack is usually essential. There will be a cost for this advice and support, with the fees typically increasing with the severity or complexity of the attack.
Canceled Contracts
Cyberattacks can result in canceled contracts where the financial impact is immediate. There might even be penalties you need to pay. It goes deeper than this, though, as potential future contracts might be impacted by the cyberattack, at least in the short term.
Loss of Intellectual Property
Cyberattacks can result in intellectual property rights being breached, such as through the exposure of trade secrets or other confidential information. This is an intangible cost but, depending on your business, it can be significant, particularly if it impacts competitiveness.
Investing Now to Prevent Costs in the Future
The cost of a cyberattack can be crippling for businesses of just about any size. The best approach is prevention, i.e. investing now to minimize the risk of a cyberattack in your company. There is too much at stake to take any other approach.
Training your team on cybersecurity risks, ensuring you have recurring off-site backups of your data, and keeping software and systems up to date are some of the things that you should be doing now and on an ongoing basis.
Support is available. At StepUP IT, for example, we have a Security Plan that will provide an immediate boost to your level of cybersecurity. Find out more today.
