[BreachExchange] What Is The Actual Cost of a Cyberattack?

[Audrey McNeil]

https://eforensicsmag.com/actual-cost-cyberattack-diamond-grant/

While 2016 showed us many new and exciting things, one thing that remained
fairly consistent wasthe increase in cyberattacks. Not just the number,
either; cyberattacks are becoming increasingly more expensive both for
victims and for those trying to avoid becoming victims.

A study done by the Ponemon Institute between 2015 and 2016 demonstrated an
escalation in the basic cost of a cyberattack of as much as 23 percent. The
actual rise was from $7.7 million to $9.5 million.

Obviously, these numbers are just an average for all businesses surveyed,
but they demonstrate just how financially draining a single security breach
can become. Yet, do these numbers truly reflect all that is lost from
cyberattacks?

Increasing Costs of Prevention

There’s no questioning that preventative measures can save a large amount
of money in the event of a cyberattack; in some cases, over one million
dollars is saved just by utilizing backups and having a plan for when data
is lost or destroyed by hackers.

However, those savings are only realized in a disaster. In the meantime,
we’re all stuck footing the bill for extra training time for employees,
bills for security software and extra hardware for information backups.

These costs add up; professional anti-malware services can cost as much as
$50 per user per year, not including more advanced features such as
encryption of cloud storage. Firewalls are a different matter; they reach
into the tens of thousands for high-quality solutions, not counting the
cost of a contract and regular upkeep (yet they are absolutely essential).

Additional servers to work as backups during a DDoS attack or in the event
of malware can also add up to thousands of dollars. Such advanced
protection might not be needed by startup businesses, but more established
companies need to have the insurance.

No one is suggesting these costs aren’t ultimately worth it, just that
businesses now face steeper startup costs as a result. Small businesses,
for instance, need to first invest in small scale security measures only to
require much larger, more expensive options later on, usually with no
return at all on their initial investments.

Individuals suffer a similar penalty. Single users used to only require a
free anti-virus program. Unfortunately, newer threats (especially over
public WiFi) virtually require the use of a VPN, some sort of backup in
case of disaster and even credit monitoring services to avoid runaway theft.

Loss of Customer Trust

Despite being the least tangible area of interest, trustworthiness is a
contender for the most valuable asset a company has. Whether marketing from
one business to the next or directly to the consumer, it remains critical
to be trusted by the target market.

Yet, this is exactly where cyberattacks hit hardest. Hacks and losses as a
result of malware or ransomware demonstrate a lack of competence and a
general lack of responsibility that customers will tend to shy away from.

Regaining that trust isn’t easy either; smaller companies rarely recover
and larger companies still feel the bite long after the financial and legal
detriments subside. In 2016, Samsung lost billions of dollars due to its
bungled Note 7 launch; they stand to lose even more in 2017 due to a loss
in consumer faith.

Personal Losses

Following a cyberattack, the losses depend on the target. While businesses
may fold on themselves, we’re still here no matter what. The costs for a
single person involved in a cyberattack may include several different
factors:

Loss of credit rating and credit opportunities
Financial damages and time spent recovering said damages
Permanent alterations to medical records

No matter the reason for the actions following an attack (purchases in your
name, new accounts under your identity, etc.), most credit agencies still
hold you personally responsible. Repairing damage to credit can take years,
even if identity theft is identified as the cause.

Most banks and credit companies insure you against a certain degree of
fraud, but coverage isn’t universal and reimbursements may not be immediate
depending on how the losses occur. A string of minor charges to your
account may go unnoticed, even by you.

When it comes to private parties, the least noticed area for damage is
actually in the medical realm. When cyberattacks target medical
institutions and result in stolen records, your information may be used for
fraudulent medical care.

Keep in mind, medical records typically include all the information needed
to commit identity theft, from home addresses and phone numbers to payment
methods and insurance information. They also host any information about
previous treatment which can be used to more easily impersonate you.

One of the unfortunate side effects of this is a nearly indelible mark on
your records. In the US, federal laws make it difficult to remove records
of treatment, even if you weren’t actually the one receiving the treatment.
The costs could be deadly; changes in information about allergies could
lead to fatal results in future treatment.

Legal Trouble

Companies that suffer a cyberattack that results in lost consumer data face
more than just the cost of recovering said data and repairing
infrastructure. The Supreme Court has left decisions about privacy
liability in the hands of lower courts, opening up the possibility for
lawsuits prior to a data breach.

Now, on top of the cost required to hire experts to re-evaluate your
system’s security, your business may also be faced with court fees, legal
fees and even the possibility of a settlement.

This is especially true in Europe, where for years companies have been
legally liable for their customers’ privacy. In 2015, the General Data
Protection Regulation increased business liability by allowing for more
liberal use of suits to force companies to comply with data privacy.

And these sorts of costs scale with the size of a business. The more
customers you have, the greater liability you incur. Let’s not forget when
Target was hacked in 2014 and received a downgrade in their corporate
credit rating, leading to increased rates across the board for company
borrowing.

Biting the Bullet

Like it or not, costs are expected to continue their rise in the coming
year. As systems become more complicated and cyberattacks become more
profitable, solutions will come with increasing premiums.

Yet the cost of avoiding these premiums is even higher. What this means for
the industry is anybody’s guess; most likely, the cost will be passed onto
the consumer. Yet how much can the consumer really afford?

Tell us what you think; what will you do to circumvent cyberattacks? Let us
know what you plan to do in the comments section.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170210/ee568630/attachment.html>