We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true—even inevitable—then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.
—Ginni Rometty, Chairman, President, and CEO of IBM Corp.
Just as Amazon has replaced the department store down the street, cybercrime has replaced a store robbery. Companies can no longer be surprised by a cyber crime committed against them; they must be prepared for one. The most effective way to convince your company to prepare and set up cyber attack defenses is to help them understand what an attack could cost the company.
The average cost of annual cybercrime on businesses is on the rise. From 2016 to 2017, it rose 23% to $11.7 million per company. However, this number only shows the average cost, not the potential cost. Several malware attacks in 2017 cost several businesses hundreds of millions of dollars. Mondelez attributed a 3% loss in quarterly growth rate to the Petya malware attack. The same attack hit Reckitt even harder, losing 1% in their annual growth rate. However, the losses these companies and others feel in the consumer goods and food processing industries are still minimal. These sectors are not even the prime targets for cyber attacks. The financial services and energy sectors are losing the most money from cyber attacks.
These monetary losses can be initially measured by delays caused when company systems are attacked and organizations cannot take or fulfill orders. However, there are additional costs that trickle in over the coming months.
Consumers expect their information to be kept safe. They trust the brands that they buy from to do this. When U.S. consumers see companies upholding their end of the deal and securing customers’ personal and financial data, most stay loyal to the brand. It is when organizations are breached, and they become a victim of a cyber attack that customers begin to have doubts. They no longer feel comfortable entering their card information on the company’s website. New customers attach a stigma to the business and its products or services. Regaining consumer trust can take years, and an organization will not be able to compete without the ability to retain current customers and bring in new ones.
Most companies think of a cyber attack as an isolated incident. It happens, and then it is over. Unfortunately, this is not how it works. The effects of cyber attacks linger. Countless issues must be resolved most of the time, and every division is all hands on deck. According to one study, ransomware cyber attacks take roughly 23 days to recover from, and attacks that involve inside cooperation usually take about 50 days to sort out.
This means that a significant portion of the workforce is dedicating their time and labor to recovery efforts instead of business as usual, putting a company weeks, if not months, behind schedule. On average, this will set an organization back $300 per employee per day, not including executive-level staff.
In 2015, 159 million sensitive information records were stolen. In the first six months of 2017, this number jumped to 2 billion. The growing trend of cyber attacks is clear, and much of the time, the attackers are after data. As illustrated by Ginni Rommety’s quote, data is invaluable. If a cyber attack breaches a company’s database, everything from proprietary company data to customer information could be stolen.
If proprietary company information is stolen, a company’s private data that helps it compete could become public, destroying its competitive edge. If it is customer data, customer trust is lost, and an organization will also be required to pay hefty legal fees, penalties, and fines. Target is a great example of this. Because of a 2013 data breach that they were victims of, they were forced to pay out nearly $19 million in settlements.
Too many executives forget that cyber-attacks affect more than systems, processes, and public opinion. Attacks can also damage physical items that the company owns. If ransomware is spread to every employee’s laptop, computer, tablet, and phone, every device will likely need to be replaced. If company machines are hacked into, it could cause them to malfunction and shut down, forcing the company to purchase new machinery. While this damage does not make up the most substantial portion of the cost of a cyber attack, at only 3% in 2016, if put into a dollar amount, it can run into the hundreds of thousands, if not millions.
A recent assessment found that about 85% of business assets are digital. This estimate makes it easier to understand how a digital attack can create serious investor and shareholder doubts. This is especially true for smaller companies, as they typically do not have comprehensive infrastructure to handle a solid internal and external response. Additionally, their brand recognition is generally insufficient to encourage shareholders to remain loyal. However, it should not be presumed that large companies can not suffer as severe a blow to their value from a cyber attack. A shareholder loss in confidence following three data breaches likely allowed Verizon to purchase Yahoo for $4 billion less than was offered before the breaches. Another example can be seen through TalkTalk, which lost 40% of its value during the four months following a cyber attack.
There are no two ways about it. Cybercrime is costly for any company and will only become more so in the coming years. For this reason, organizations need to prepare themselves with better security tools, processes, and systems.
