Fiber optics spread like a fishing net across the Atlantic Ocean. Armored and weighted, they connect to the Somalian capital of Mogadishu, spidering out and above land from there, the lifeline of all businesses–Salaam Bank transactions, emails between legislators, Twitter, a high schooler’s homework, all reliant on this singular communication method.
They’re supposed to be fairly secure, those digital communication lines. The Kevlar-quality coating and below-sea depth protecting against the Atlantic’s hurricane-force winds, shark attack, fishing hooks, undersea earthquake, and countless other possible interferences. But then, on Friday, June 23rd, loaded with heavy cargo, the pointed keel of a large transatlantic ship sliced through that fiber-optic cable to Somalia. The African nation lost all digital communications. News spread that the cut cable may have been a targeted attack instead of an accident. Businesses were forced to close or to greatly modify operations.
It would be weeks before the severed digital umbilicus would be restored, costing the economy an estimated $10 million a day. But from the comfort of a wifi-connected perch on the other side of the Atlantic, it also begs this question: where do estimates like that come from? Media outlets throw around these astronomical figures like, “Cybercrime Costs the Global Economy $450 billion,” and you go, “Wow, that’s a lot of money.” That’s $450,000,000,000–so many zeros when you lay them all out. Where does a figure like that come from, and bringing it back home, what do cyber attacks cost US businesses, specifically, during this year?
Well, we’ll take a look. Here’s a budgetary review of what cyber attacks have cost US enterprises so far in the year 2017.
A Vested Interest
When it comes to cost estimates for things like cyber security breaches, you have plenty of interested parties, even beyond dramatic headlines. With a thorough enough understanding, such as the one we will delve into here, you can also see which factors have predictive behavior. For planning purposes, that identifies the most impactful business decisions to anticipate or mitigate an attack. Governments and businesses alike have a vested interest in such predictions.
Insurance companies have also begun to cover cyber incidents, which generates a strong desire to not only understand the costs of an attack but also to break it down in greater detail, including those predictive measures. Also, as we shall see, different types of attacks and their potential financial outcome. As in so many other fields, we must use the past to predict the future: the measurable costs of past incidents to help anticipate the possible costs of a repeat. Yet incidents, as a whole, continue to rise in both scope and cost, making predictive efforts more challenging.
We’ll be looking at reactive analyses of recent cyber incidents, more so than trying to make any sort of prediction. But, as you shall see, cyber incidents don’t end in a neat little package with a completion date stamped on top, and costs can roll forward, sometimes for several years. On top of that, the field of hacking reeks of copycats, so predictive behaviors and costs naturally emerge from an analysis of the recent past.
Even if out of sheer curiosity, the budgetary review of cyber attacks can make for an interesting conversation.
The Factors Involved
The first place to start is to examine where the majority of expenses come from in the aftermath of a cyber security incident. These can be broken down into two primary categories: direct and indirect.
Direct costs – Direct expenses are those associated with the incident damages itself. Those may include:
- Hiring a cyber security forensics team to verify/determine what occurred.
- Determining which accounts/information were affected.
- Lost business during the incident, such as possible downtime if a website or other services must be taken offline (or are directly impacted such as through a DDoS attack).
- Securing an incident response team and conducting any training of personnel for response.
- Making public announcements, including customer notifications.
- Employee expenses throughout the process, such as time personnel spend on analysis, notifications, and responses.
Indirect costs – Indirect expenses include the after-effects of a cyber incident, and can be more difficult to measure since some may take years to fully resolve (such as finalizing litigation and recovering reputation). Those expenses may include:
- Legal services for defense, compliance, and customer resolution.
- Identity protection services for victims.
- Lost opportunity as a result of public image damage.
- Lost future customers as a result of public image damage.
- Customer churn of existing customers (more on that below).
- Free or discounted services to customers to assist with damage control or to recover customer churn.
- Any unexpected/unplanned expenses associated with systems upgrades or employee training as part of a prevention plan to assist with the prevention of additional future cyber incidents.
The most accurate analyses of costs of cyber security incidents include churn (another word for “turnover”) and fewer new customers (called “diminished customer acquisition”). So here’s a closer look at those factors, from a global study by the Ponemon Institute.
“Turnover of existing customers: The estimated number of customers who will most likely terminate their relationship as a result of the breach incident. The incremental loss is abnormal turnover attributable to the breach incident.”
“Diminished customer acquisition: The estimated number of target customers who will not have a relationship with the organization as a consequence of the breach.”
As you can see, the varying factors involved in a cyber security incident, therefore, can vary greatly by type of incident, and also by type of business/industry. More on that in the next section.
Breakdown by Incident and Industry
Some businesses have virtually no rival, and so the impact to the business of a cyber security incident may cause diminished trust, but not necessarily diminished business. For example, the Internal Revenue Service requires your business, without any rival, and yet has been at the center of many incidents (mostly involving false tax returns and fraud). But just because the costs and impact are different, does not mean they are lower. The IRS has had virtually no customer churn as a result of cyber-related fraud or incidents, but has reportedly spent billions on fraudulent tax returns–that’s billions of tax dollars no longer in the budget!
Certain types of incidents also have less impact on customers. For example, leaked employee personal information, though still a cyber incident, may have little or no indirect impact on customer churn or acquisition. (It may have an impact on employee acquisition, but such costs are not part of this analysis).
Here’s a closer look at some of the industries and incident types.
Industries with the historically highest costs associated with a cyber security attack (data from the same Ponemon incident study and based on global industries):
- Life Science
The industries with the highest costs tend to be those which either maintain sensitive records, get the most frequent attacks, have the highest notifications costs, or have the highest legal costs associated with an incident. For example, churn might be higher when a bank has a cyber security data breach than say, the recent incident at Buckle retail stores.
Another common factor associated with higher than average costs includes the direct cost of an incident losing access to present operations–such as the energy industry getting hit, which results in direct loss until the restoration of energy services (and has a rippling effect of direct loss to all of their customers’ operations that require the energy).
Costs can also vary greatly by the type of incident. In an analysis by Kaspersky Labs, the most expensive incidents–by far!–are those that involve the failure of a third party supplier. (Remember the Target holiday-season fiasco that was caused by an appliance supplier?) Here is the list of the most expensive types of incidents, in descending order:
- Failure of third-party suppliers
- Fraud by employees
- Cyber espionage
- Network intrusion/hacking
- Intentional leaking
- Accidental leaking
- Software vulnerabilities
Of course, there’s some overlap between these categories, as cyber security breaches are not always so clearcut. For example, the Wannacry virus was malware, that preyed on software vulnerabilities, but also likely started with phishing. Still, the categories work, overall, and were based on Kaspersky’s survey data.
For the largest companies, there’s a shift in expenses, with cyber espionage costing the most, in terms of damages, followed by vendor/third party failure and then network intrusion/hacking, but for small or mid-sized organizations, the list above is the order.
So even though they can shift, a little, depending on the industry and size of your company, you can see the categories for the biggest data breaches. As far as overarching categories go, system glitches and human error cost much less than malicious or criminal attack.
An Us Problem
While an incident like the one in Somalia had a tremendous impact on the nation, imagine such an incident in the United States. Somalia lacks the infrastructure of the US, with so much more connectivity state-side, and yet it takes an attack of a much smaller magnitude to have a higher cost. In fact, data breaches in the United States cost more than anywhere else in the world.
While, of course, some costs might be expected to be higher, such as settling litigation in the aftermath of an incident, other factors include the higher notification costs and the higher likelihood of customer churn. It seems that customers might be more loyal elsewhere, but in a consumer-capital driven country like the United States of America, a cyber incident can have a devastating impact on both current customer churn and diminished customer acquisition.
US companies also house as much as 85% of assets in digital form, placing US companies with data breaches in a higher position of data breach vulnerability than some other nations. Incidents cost the most in the United States and Canada, the least in Brazil and India (even though, ironically enough, Canada has some of the lowest rates of data breach and Brazil incredibly high attack frequencies).
Beyond just the cost of operations within a certain country, the data reflects a need to prepare in appropriate ways. That means that in the United States, more than anywhere else in the world, the fluidity with which a cyber incident gets handled has a much greater impact on the final cost of an attack to a company.
For better or worse, enough cyber security incidents have occurred around the globe now to have a very good understanding of organizational factors that may increase or decrease the overall cost of an incident. Considering that 90% of companies in the United States will experience at least one cyber incident, it’s clearly worth investing in the right preventive measures to help not only mitigate risks (a common tactic), but also diminish the costs of an attack when it does occur.
Some of the factors which may improve (decrease) the cost of a cyber incident include:
- Employee training
- Use of security analytics
- Having cyber insurance
- Having an effective and trained incident response team
- Extensive use of encryption (so if a leak occurs, the data is at least well-encrypted)
- An effective PR response, which helps minimize churn
These factors are over-and-above such simple measures as successful password policies, system compartmentalization, and updated/supported software systems–all of which should be considered standard operating procedures in a digital age. If doing your own internal budgetary review, these cost control measures each deserve their own analysis.
Conclusions and Final Numbers
So what does all of this add up to? An incredible variance in costs. Insurers have been warned by researchers that the cost of a cyber attack is on par with a hurricane: the next-level WannaCry could cost a Katrina. That’s some pretty bad news. At this time, the average total cost to a company of a cyber incident within the United States is $21.22 million, up significantly over last year’s average of $17.36 million (Accenture figures, see the full report here).
The good news is that given the advancements in analytics, the possibility of access to mitigation resources, and the possible support of 3-party technology, a company of any size, within any industry, now has an incredible breadth of data available to help identify and mitigate cyber risks.
There will never be a fool-proof zero-cost solution to cyber threats until the threats themselves are gone, just as there will never be a stop to all Atlantic hurricanes. But with the right support, one can weather the storm.