Investigating the True Cost Of A Cyber Attack

We’ve all seen the articles citing eye-watering figures of what a cyber attack could cost your organisation, but is this true of all attacks? And where does this money actually get spent?

Not all attacks cost millions of pounds. According to the DCMS Cyber Security Breaches Survey 2021 39% of businesses reported experiencing security breaches or attacks in the last 12 months and in the UK, the average cost of these security breaches and attacks was £8,460. This rose to £13,400 when focusing on medium and large firms.

Another interesting statistic found in the report was that only 31% of respondents had a business continuity plan in place that covered cyber security, which is worrying with the threat of attack being so high.

Now we know the average financial cost of an attack, it is important to investigate where this cost comes from, in order to understand the impact of an attack on your organisation. Below we break down each component individually.

Initial Response

While larger organisations may have a detection system or a fully staffed Security Operations Centre in place, sadly, for a lot of businesses (micro, small and medium), it’s most often the case that the symptoms of a cyber incident must be bad enough to impact operations before anyone realises there is a problem.

Regardless, once detected, whether you have an in-house Incident Response team or you have to bring in a third party, you need specialist skills to handle an incident. That could include not just technical experts to understand the problem and get systems up and running again but other specialists, such as a PR agency to deal with communications.

These specialists come at a high price and even more so in emergency situations. It is also important to note they may be needed for some time before the incident is initially under control (according to IBM’s 2021 report, the average time to identify and contain a breach is about 287 days, up by 7 days from their 2020 report).

When calculating the cost of bringing in specialist help, you should consider how much time you might need to engage external specialists and how you want to manage the incident (e.g., do you want to investigate so you can pursue legal avenues later?). But plan on a day rate of anything between £800 – £1500/day.

Once you’ve contained the incident and communicated it to your stakeholders, you may also need a third party to assess and audit your organisation’s security measures, reducing the likelihood of another attack and limiting the impact of future attacks.

Notification

If your organisation has an Incident Response or Crisis Communications Plan in place, notifying your various stakeholders will be one of the key tasks. Letting customers or subscribers know that their data has been leaked on the dark web, communicating with regulators, and the time in-house teams spend liaising with external specialists all come with costs that can add up.
Lost Business/Loss Of Reputation

It’s no surprise that lost business is the largest cost on the cyber incident bill, coming in at up to 40% of the total. Loss of operations can have both short- and long-term ramifications, too; if your customers need to go elsewhere to get what they need, it’s not a certainty that they will come back to you when the incident is over.

Cyber attacks can also impact an organisation’s reputation. This is a difficult cost to calculate but according to Hiscox, 15% of respondents who had been hit struggled with exactly this and reported more difficulties in attracting new business.

Recovery Period (Or ‘Long Tail’ Costs)

The costs associated with an attack can continue to arise for a long time, even months or years, after the initial incident. Some of these may include:

Communications. Ongoing communication with stakeholders could have a hefty price tag attached, especially if the impact of the breach is severe (e.g., the leak of Personally Identifiable Information).
Reparations. These may be required for customers in the form of credit monitoring, payouts or product discounts. This is about rebuilding trust with your stakeholders – they will want to know you are making the utmost effort to limit any impact on them.

Legal costs. Of course, these are not unexpected; whether the organisation is prosecuting the persons responsible for a breach/attack or they must respond to class action taken out by stakeholders, like the one Colonial Pipeline is dealing with now.

Regulatory fines. And finally, regulator fines, particularly in highly regulated industries, can be immense. As a well-known example, the ICO fined British Airways £20m (reduced from £183m – 1.5% of the airline’s global turnover in 2017) for breaching the GDPR in 2018.

How To Prepare Your Organisation To Minimise The Impact Of A Breach

According to the 2020 IBM Cost of a data breach report, “Incident Response preparedness was the highest cost saver for businesses”. This trend has continued in 2021, with businesses that have an Incident Response team and have tested their plans seeing a lower average cost if they are breached.

But What Does That Look Like?

• Hire (and train) the right people. For those organisations with the resources to invest in any sort of in-house cyber response capability, whether this is a SOC or a designated security incident manager, it’s important to make sure they have relevant skills and are keeping them up to date.
• Think ahead. For those who don’t have these resources, it’s important to know who you will talk to if something goes wrong. Outsourcing incident response can be the most cost-effective option, but it will be even more cost-effective if you plan ahead and develop a relationship with an external cyber security consultancy when things are running smoothly. This gives their team the opportunity to understand your operations, so they can hit the ground running when they are called. Starting from scratch in the middle of an emergency will invariably take away from the time needed for meaningful activity to contain the incident.
• Have a plan, test that plan. An incident response plan which sets out how your organisation will respond to a cyber incident—including issues such as technical responses, roles and responsibilities and communications protocols—will greatly reduce the time needed to contain an incident. But something on paper doesn’t always work out when put into action. Think about testing your plan; for example, if you are hit by a ransomware attack, do you know how long it would take to restore your systems from backup? Have you ever run a tabletop exercise that replicates the conditions of a cyber incident?

Understand Your Security Posture

Lastly, it’s also helpful if you have a wider understanding of how your organisation is set up to defend against digital threats. We help a lot of our clients achieve this understanding with a maturity assessment. Our consultants spend time in your business to analyse your cyber security and compliance requirements to establish the effectiveness of the measures you currently have in place. They evaluate whether they align with organisational maturity targets based upon risk appetite, stakeholder expectations, and regulatory/legal requirements. This allows you to build on your existing foundation and only spend money where you need to.

If you do think you have been the victim of a cyber attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.

This article was published in partnership with our cyber security partners PGI.

© SES Secure Limited and ses-escrow.co.uk, 2022. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content