To improve cybersecurity, chief information security officers (CISOs) and other IT leaders need to get buy-in from other key stakeholders, for example, management teams and boards. But talking about cyber risk management in technical terms can be off-putting. Instead, these other leaders want to know what cyber risk means in clear business terms. That’s why it’s important to talk about how cyber events can lead to financial loss.
If business leaders understand that cyber attacks can cost money due to regulatory fines, data recovery expenses, extortion payments, etc., then they could be motivated to invest in stronger defenses.
In particular, CISOs and other IT leaders should explain how cyber attacks can lead to financial loss across three primary areas:
Technology costs: A cyber attack can cost money if it causes enterprises to then repair or replace affected technology, pay for data restoration and forensics services, or add new cybersecurity protections, like implementing threat detection software.
Hard business costs: In addition to technology costs, cyber attacks can trigger direct expenses that cause a loss of profit. For example, you might need to pay for legal and PR teams to manage the attack response, as well as overtime costs for IT staff that need to put in extra work to recover from an attack.
Soft business costs: Following the initial hard costs, there can be soft business costs that aren’t always as easy to quantify but still add up. For example, after incurring the cost of a PR team to put out a statement about the attack, your business also might need to respond to reputational damage from a breach. So, that could lead to additional marketing costs to turn customer sentiment around.
To avoid getting hit with these expenses unexpectedly, organizations of all sizes should aim to understand their cyber risk quantification (i.e., what cyber risk translates to in financial terms). That way, they can plan ahead by proactively investing in technology or setting aside a budget for cyber-related losses.
In particular, businesses should understand how different types of events can lead to financial loss so that they know what to shore up. If an attack does occur, businesses can at least be more prepared around what that means for their finances.
With that in mind, the top five cyber risk scenarios that can lead to financial loss include:
Data Breaches If you experience a data breach, like a hacker getting into your customer records, that can quickly get expensive, or an employee making a mistake leading to exposure of sensitive data. From remediating the attack, to notifying affected parties, to facing compliance penalties/fines, there can be many different types of costs associated with a data breach.
The costs can vary widely depending on factors like the data you hold and the scope of the attack. That’s why it’s useful to conduct a cyber risk financial quantification to see what a data breach could mean for your organization. But data breach costs can also depend on how you respond to an attack.
For example, Yahoo (at the time known as Altaba) reached an agreement to pay a $35 million penalty to the U.S. Securities and Exchange Commission (SEC). That was due to “charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts,” explains the SEC.
Double Ransomware Another costly cyber event can be double ransomware. That’s where ransomware first encrypts your files or systems, causing you to be unable to operate your business as usual; then, the “double” element is an additional action by the ransomware attackers, like if they decide to leak your data too.
Like with a data breach, a data leak due to double ransomware can be costly to clean up. Not only do you have to deal with the initial cost of removing the ransomware, but you also might face expenses, like having to notify customers about a data leak.
Traditional Ransomware While double ransomware can be particularly costly, don’t underestimate the pain that traditional ransomware can bring. “Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. The monetary value of ransom demands has increased, with some demands exceeding $1 million,” notes the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Even though agencies like the FBI don’t support the use of ransomware payments, the reality is that many businesses do make these extortion payments to unencrypt files, thus facing these costs. (Disclaimer: Kovrr does not endorse making ransomware payments.)
Even if you don’t pay the ransom, other steps like restoring your data from a backup can take time, especially if you’re working with an out-of-date backup. So, that time spent on remediation instead of sales can lead to lost revenue.
Business Interruption In addition to the delays that ransomware can cause, some cyber attacks are specifically geared toward business interruption. For example, denial of service attacks, which often involve cybercriminals sending a flood of traffic, can make websites completely nonfunctional. So if you’re an e-commerce business, for example, then having your website experience downtime can directly lead to lost revenue.
Denial of service attacks can also hit infrastructure, thereby making it hard for businesses to operate as usual. For example, you might not be able to access a cloud system that your business relies on if your service provider experiences an attack.
Financial Theft Lastly, businesses should watch out for cyber attacks that directly lead to financial theft. An attacker could deploy a phishing scheme to get an employee to accidentally reveal bank login information, or wire transfer money for a third party, for example.
“Banks have invested so heavily in security that it’s becoming very costly for fraudsters to attack them directly. Instead, fraudsters change tactics and increase their efforts by way of deceiving business owners,” notes M&T Bank.
Or, a scammer might pretend to be from a tax agency, for example, and scare businesses into paying for something they don’t really owe.
Financially Quantify Your Cyber Risk
As these scenarios show, cyber events can cost your business money in several ways. While it’s not always possible to block all threats, companies can at least prepare for what the financial impact of a cyber attack would be.
If you’re struggling to determine the dollar value at-risk around each of these scenarios, talk to us now. We can help you understand your financial exposure in detail.