According to the dictionary definition a Cost is “an amount that has to be paid or spent to buy or obtain something”, which might not obviously hold true when thinking about investing in protecting your business from a cyber attack, or indeed in paying to regain access to your business data or systems in the face of a Ransomware attack.
We have seen a number of businesses contact us post-attack to build their resilience and ensure that they can both recover and protect themselves from further attacks, having been through the pain inconvenience and/or cost once – generally not something that anyone is keen to repeat. In an ideal world this would not be something we are faced with and indeed the victims themselves never have to do, but when it comes to Cyber Security businesses are not operating in that ideal world.
Outside of our experiences there are numerous other cases of businesses small and large being faced with real monetary costs at the hands of Cyber Criminals. Whether it be tech companies, schools, health providers, legal firms, accountants or retailers – the risks are there for all types of businesses, and the costs must be paid either to regain access to systems and data or to get the business operating as it was before the attack.
It’s not just larger organisations being targeted though, there is no hiding from the fact that small businesses are at risk, whether it be from invoice fraud, supply chain attacks, phishing or ransomware. There are attackers out there who know that by hitting a large number of smaller organisations they have the potential to take that business down and cause a lot of harm. The result being that we ourselves have seen a small building firm of 2 people, and a recruitment company of 3 people both experiencing email compromise which led to invoice fraud costing them around £10,000 and £8,000 respectively. We have also worked with a 300 strong manufacturing company which suffered a Ransomware attack. The ransom wasn’t paid but there was significant disruption to the business for several days costing money in terms of sales and recovery costs.
The investment any business makes in strengthening its position regards Cyber Security isn’t just being made to mitigate the risks of being faced with loss of money through invoice or payment fraud, or having to pay a ransom to an attacker; there is a web of other hidden costs that must be considered.
The other costs could well result in having to spend additional money to get the business back to where it needs to be in terms of legal bills or regulatory fines. If GDPR rules are broken or a governing body issues financial sanctions in response to data losses then fines must be paid. A significant proportion of fines issued by the ICO and other data protection agencies since the inception of GDPR relate directly to insufficient measures to prevent cyber-attacks and the resultant data breaches. Beyond this a business could find itself investing a lot of time and resource into the recovery phase as it investigates root causes, diverts staff from their main role or maybe even needs to replace some roles or people to ensure ongoing safety for the business. All of these costs should not be swept under the carpet when reviewing the impact of any cyber-attack.
When an attack takes a business offline or stops its ability to deliver its product or service to customers there are a wide range of impacts depending on the type of business or service offering. They can range from loss of customers or orders, having to pay others in the supply chain when revenues are lost, reputational impact and tough questions from suppliers and partners.
So, it’s safe to say that there are a scary range of potential financial and business costs when an organisation suffers a cyber-attack or data breach; this should get business owners and leaders asking questions of themselves and their senior teams to ensure they are doing all they can to plan and prepare for the inevitable.
In terms of what leaders could be doing, it is important that they focus on ensuring all parts of the business are covered when it comes to gathering information on all critical systems and data that need to be protected, so let’s now focus on the two areas of:
- Incident Management
- Investing in employees
We cannot stress enough the importance of developing an Incident Response Plan for all organisations in the face of the increasing threat of a cyber-attack on their business. Working with specialists like CyberScale will ensure preparation and getting everything in place to respond when an attack occurs. Read more about Incident Response Planning here.
But, a plan and processes around how to respond is something that you never want to have to actually use, if at all possible!…A well published statistic within the Cyber Security sector is that 95% of cyber security breaches are caused by human error, so to continually invest in staff awareness and training is a must have line in your cyber security defences. Ensuring that your teams are informed and up to date with the latest information regarding the threats to your business should not just be put in place as a response to an attack or data breach.
And finally…let’s look at the importance of Backups. With a recent survey reporting that the number of organisations deciding to pay the ransom in the face of a Ransomware attack has risen to 32% in 2021, from 26% in 2020, there is a concerning after story. Only 8% of them got all of their data back and nearly 1/3rd couldn’t recover more than half of the encrypted data.
This further highlights the complex web of impacts a cyber-attack can have. It is paramount to not focus purely on enacting disaster recovery to get all data back, it is important to think more tactically and make selective backups so that if you do lose something specific and key to ongoing operations you have more of a chance of getting it back. Another point to highlight is that many companies don’t understand how long it can take to get data back especially if it’s cloud based.
If your business data has been compromised in a cyber-attack it is not uncommon to find that your replica data or back-ups have been compromised as well, so you will find that you are looking for the most recent malware-free data you can find. This may result in you finding that it’s from days or even weeks ago, which is far from ideal in terms of getting the business back up and running again as it was before the attack. Alongside this process you may also find that you will need new clean servers to host the recovered data, ensuring that the post-attack environment is as clean as possible. In many cases it’s preferable or even necessary to completely rebuild all affected devices following a ransomware attack to be absolutely sure that everything has been removed. This can run into hundreds or even thousands of machines in some organisations.
There are a wide range of potential impacts and costs of a cyber-attack on your organisation and it is important to keep in mind that everything we have shared will only really work in the face of an attack if it is reviewed and tested on an ongoing basis. To rely on something working for you a year after it was set up or implemented could come and bite you in a post-attack recovery situation.