Impact of a cybersecurity breach: 8 ways it costs you
Buckle up. This one’s going to hurt. In the world of business continuity, so much attention is paid to the destruction of natural disasters, like severe storms and flooding. But the reality is: cybersecurity breaches can be just as destructive. And they happen far more frequently.
If your company has a business continuity plan, then you already know that. The costs of a breach can quickly skyrocket, especially when your operations are disrupted.
In this post, we look at the specific ways your company will feel the impact of a cybersecurity breach, particularly on your bottom line. Ouch.
What kind of cybersecurity breach are we talking about?
Cybersecurity breaches can take many forms. We’ll point to specific examples throughout this post, but generally speaking, we’re talking about all the breaches that organizations encounter every day, such as:
- Ransomware infections
- Other viruses and malware installations
- Phishing attacks
- Data breach / theft
- Brute-force password cracking
- System vulnerability exploits
- Cyber extortion
The list goes on and on. And while some of these breaches are less destructive than others, any one of them can have a costly impact on your business.
1) System malfunction & repair
Malware infections can cause a lot of damage to your systems in a short period. Whenever your technology is impaired by a cybersecurity breach, it ultimately costs you time and money.
Some examples of system malfunction include:
- Malware-caused software bugs that require new installations
- Operating system errors that make machines slow or inoperable
- Damage to server drives and/or configurations
- Altered network settings or damage to network firmware
When your technology doesn’t work like it should, your business suffers. Employees can’t perform their work as efficiently, which means your productivity suffers.
But also, there’s the cost of repairing or replacing your malfunctioning infrastructure, which is a whole other huge expense to consider.
2) Idle employees & downtime
When the breach is big enough to cause a widespread operational disruption, your employees have nothing to do but wait. This loss of productivity is extremely expensive, and the costs continue to climb with each passing minute.
Consider a breach like ransomware, which locks workers out of their files and often makes their desktops unusable. They can’t perform any of their job duties. And even if you send them home, chances are you’re still paying their wages. It’s a huge waste of money.
Even without a cybersecurity interference, workers’ “idle time” costs employers $100 billion a year. So when a large portion of your workforce is suddenly sidelined, a single cybersecurity attack can drop an anchor on your bottom line.
3) Manufacturing disruptions
In June 2017, pharmaceutical giant Merck was one of many companies disrupted by the global NotPetya ransomware attack. Merck has remained tightlipped about the attack, but several news organizations reported that the ransomware disrupted its production of certain medicines and vaccines.
Even a month after the attack, the company was “still in the process of restoring its manufacturing operations,” according to Reuters. The attack also affected the company’s ability to deliver other products on schedule.
One group estimated that Merck’s insurers would pay $275 million to cover insured losses from the event.
At every manufacturing company, technology and software are now deeply interwoven into operations. So when a major cybersecurity breach occurs, it can bring those operations to a screeching halt.
4) Revenue loss
What’s the next obvious impact of a cybersecurity breach after a manufacturing interruption? Revenue interruption. Because if you can’t make your product, then you can’t sell it either. You can’t fulfill orders. And if your deliveries are delayed, it may hurt your future sales too (more on this in “Reputation damage” below).
A June 2017 report highlighted by CNN showed that 15% of businesses hit by ransomware had lost revenue because of the attack. On average, small companies lost more than $100,000 per incident.
Again, it’s not just ransomware you need to prepare for. A wide range of malware and cybersecurity breaches can be just as damaging when they block your revenue streams. For Internet retail businesses, for example, another costly cybersecurity threat is a DDoS attack, when hackers flood a website with so much traffic it takes the whole site offline. A 2017 report showed that SMBs lost about $123,000 on average from such attacks, while enterprise businesses lost an average of $2.3 million.
5) Data loss
In the age of data, losing even just a few important files can be costly. So when you experience a cybersecurity breach like ransomware, which can encrypt large swaths of data across your entire network, the impact can be devastating.
Data has become the lifeblood of many businesses today. A 2013 study highlighted by Dell found that large U.S. companies lost an average of $5.4 million per data loss incident. Even when the data can be recovered, the costs can still skyrocket, especially when companies need to hire additional resources and invest in new technologies to get that data back (more on that below).
These events can be even more costly for industries like healthcare and financial services, which must comply with strict regulations on how they handle sensitive data. For these organizations, there is a high cost for the loss of data itself as well as the cost of regulatory fines.
A number of cybersecurity breaches can cause data loss, in addition to ransomware. This is why it is so important for businesses of all sizes to deploy a data backup business continuity solution.
6) Recovery process
Recovering lost data, applications and systems can be costly and infuriatingly slow.
Just look at the City of Atlanta, which was hit by a SamSam ransomware attack earlier this year. The attackers requested a ransom of roughly $50,000 to decrypt the data. But the attack would cost the city so much more. Five months after the attack, the recovery was still ongoing and costs were expected to surpass $17 million.
Why so much? As Wired points out, the city’s IT personnel needed to greatly expand its resources to respond to the attack. Nearly $2.5 million in the first month was spent on “emergency contracts” with vendors for “digital forensics, extra staffing and Microsoft Cloud infrastructure expertise.”
7) Data theft & breach
What’s worse than losing your data to encryption? Losing it to thieves … thieves who can do a host of additional illegal activity with it that will ultimately cost you even more.
Depending on how it’s executed, data theft can be costly in a number of ways. The sheer news of it can severely damage your company reputation, hurting sales immediately and long into the future. But also, when the data itself is sensitive—such as personally identifiable information on your customers—it creates a major liability, leading to regulatory fines and lawsuits. Then there’s the cost of trying to recover that data from the thieves and make sure it stays out of the hands of others. On top of that, there’s the risk that the thieves will try to extort money from your company, threatening to publish sensitive or unsavory information online.
And what about data pertaining to your business strategies or secret products in development? If that data gets into the hands of your competitors, it could mean years of setbacks for your organization.
The average cost of a data breach in the U.S. is $7.3 million, according to figures from a 2017 report by Ponemon Institute. The cost is directly affected by the number of records stolen: “For a breach that results in less than 10,000 records being compromised, the average total cost is $1.9 million, but for 50,000 or more that rises to $6.3 million.”
8) Reputation damage
We’ve touched on this a little already, but it’s important to underscore just how costly a cybersecurity breach can be on an organization’s reputation with customers, vendors and the public.
It’s common for businesses to say after a major breach that “we have no evidence that sensitive information has been used by attackers” – but this is really just a public relations message. Just because a company says it hasn’t found further wrongdoing doesn’t mean it isn’t happening. But even when that message is true, the whole thing just looks bad.
Customers can quickly lose faith in businesses when they fear their personal information isn’t secure, even if it actually is. So even a ransomware attack, which usually doesn’t involve data theft, can create a lack of trust among customers. The breach alone sends the message that there was a lack of cybersecurity in place or a lack of care.
A 2015 study by a UK fraud prevention company found that an “overwhelming majority of people would not do business with a company that had been breached, especially if it had failed to protect its customers’ [credit] card data.”
Improve your business continuity
Learn more on how to protect your IT infrastructure from a cybersecurity disaster. Contact our experts at Invenio IT by calling (646) 395-1170 or emailing [email protected], or request a free demo of advanced business continuity solutions from Datto.