As a CFO, you are always looking at the potential return on any investments your organization is planning to make. In most cases, like a marketing campaign, adding a new sales person or developing a new product, the return is how much you will add in revenue. When it comes to investing in Cyber Security, the return is the savings from preventing costly Cyber-attacks or mitigating their impact. So what are all the potential costs of an attack or breach?
Let’s look at a ransomware attack, since they seem to be so popular today. In a ransomware attack, the perpetrator typically gains access to your network, encrypts your data and offers to sell you a key to decrypt your data. The attackers often ask for a reasonable amount so that the affected company is more likely to pay and move on. A company recently reached out to Think|Stack after discovering a ransomware attack. With the state of their systems, it was quickly determined that the only way to recover their data would be to pay the attacker. The amount paid to the attacker was under $2,000. After some troubleshooting with the attacker, yes, they are often helpful and even friendly, we were able to recover the data. You might be thinking, that’s not so bad. That was just the beginning, though, and the ransom itself was a very small fraction of the total cost.
In this type of attack, even after the data is recovered, there is still a risk that malware is present in your network. It is not as simple as decrypting your data and getting back to work. In the example above, we scanned their systems and found that malware was still present. We couldn’t risk having them go back to work on their infected systems, so we began migrating the data to new infrastructure and reinstalling all their applications. It has been over a month and while they are able to work, they are still not fully operational. In the end, the customer will have paid for hundreds of hours of third party labor and used hundreds of hours of internal resources to remediate this incident.
During this time that a company does not have access to its data or applications and is working to get back to operational, they may not be able to fully serve their clients. This can lead directly to lost revenue as they are not able to bill for their services during this time. In a ransomware attack, there is always the chance that sensitive data was compromised. A situation where a company has to disclose a data breach to customers can lead to long term reputational damage and loss of customers.
A study by the Ponemon Institute found that the average cost for lost business after a data breach in the US was $4.13 million. This includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The average notification cost in the US is $690,000 after a breach. These costs include the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication set up. (Ponemon study: https://public.dhe.ibm.com/common/ssi/ecm/se/en/sel03130wwen/security-ibm-security-services-se-research-report-sel03130wwen-20180122.pdf)
After the company has remediated the issue, the potential expenses don’t end. Depending on the industry, there can be legal costs, fines, investigative costs, discounts to customers etc. Getting back to ROI, when you hire a new sales person, the upside is that they add significant revenue, the downside is simply their compensation. When looking at Cyber security, the upside is the amount you spend to protect your company, the downside is the total potential cost of an attack or breach or multiple attacks which as noted above can be enormous and hard to predict. One way to minimize the downside and be able to predict and control the amount is Cyber insurance. While insurance can help you with the remediation costs and even pay you for lost time, it cannot restore your reputation or prevent you from losing clients. As CFO, you need to consider which costs discussed above are the greatest risk to your company, based on the industry you are in and the services or products you provide. You then need to consult with your IT staff or a trusted resource to determine the best solutions to mitigate those risks within your budget.