We read every day of the latest cyber-attacks where an organisation has suffered a breach of Online Security. As a result, there is usually a loss of confidential data, users financial information has been compromised, or a website has been defaced. The organisation often makes a statement about how much the breach has cost the organisation and offers an apology to those affected.
What is not generally realised is that the true cost to the organisation is much more than a simple monetary loss. The effects of the pandemic have forced many companies to move to an online presence, especially an e-commerce platform. Unfortunately so have many hackers, and the incidence of malware attacks, DDoS exploits and ransomware have increased in frequency and savagery.
The FBI has noted a steep escalation in reported ransomware attacks and malware attacks in general. Many more are likely to be unreported.
Failures in Online Security have been around for years and experience shows that the costs can be major, and not just direct financial losses. Other costs will include:
Reputational damage. Customers and potential customers will consider them poor custodians of their data. New customers won’t come and existing ones might leave.
Share Price and organisation value decline. As news of the data breach emerges, and reputational damage happens, the value of a publicly listed company will fall with its share price.
If Intellectual Property is part of the theft, then the organisation might be at a competitive disadvantage for some time.
Regulatory Issues. Industry and Government watchdogs might want an explanation of what has happened, if regulatory compliance was breached, and what are the steps being taken to enforce compliance with regulations. They might mount an investigation that interrupts normal business and potentially uncovers other issues.
Employee morale drops. Some may leave, and potential new starts could be reluctant to join.
If an individual’s personal data is stolen, it could see them suffering severe difficulties, and instituting litigation against the organisation:
Misuse of banking information, leading to a world of trouble.
An inability to source credit, and calling-in of existing credit lines.
In addition to a potential cost to the organisation, a serious blow to a company’s reputation. However, the biggest contributor following an Online Security breach is loss of business. IBM Security reported the total cost has increased from an average of $1.42 Million in 2019 to $1.52 Million in 2020.
Another report by Cisco in their 2018 Annual Cybersecurity Report showed for organisations that suffered an attack:
22% of breached organizations lost customers — 40% of them lost more than 20% of their customer base.
29% lost revenue, with 38% of that group losing more than 20% of revenue.
23% of breached organizations lost business opportunities, with 42% of them losing more than 20%.
What to Do
In today’s digital environment, data is assuming critical importance. Indeed, some pundits are calling it “The New Oil”. Data breaches are therefore much more than just information leaking from an organisation, they can represent a serious loss of revenue and reputation for an organisation, up to the point of it being fatal.
The first thing to understand is that a cyber-attack is inevitable, and policies and procedures, must be in place to reduce the likelihood of it being successful, and to mitigate losses if it is.
The organisation must also realise that Online Security is a corporate responsibility, not just IT. To be sure, IT has the responsibility to put Online Security defences, hardware and software, in place and monitor them. The FBI reckon that most successful attacks come following a user action, malicious or accidental, so a training and education programme in cybersecurity is essential.
The organisation also needs to have a corporate Business Continuity Plan developed and tested to be able to return the organisation to normal operations following a successful attack.
That, because it involves all areas in the organisation will be a corporate endeavour, not just IT.
Every business needs to keep a close eye on its security practices, being alert and vigilant at all times. Work on the basis that prevention is much better, and cheaper than cure.