We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true—even inevitable—then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.
—Ginni Rometty, Chairman, President, and CEO of IBM Corp.
Just as Amazon has replaced the department store down the street, cyber crime has replaced a store robbery. Companies can no longer be surprised by a cyber crime committed against them, they need to be prepared for one. The most effective way to convince your company to prepare and set up cyber attack defenses is to help them understand what an attack could cost the company.
The average cost of annual cyber crime on businesses is on the rise. From 2016 to 2017, it rose by 23% to $11.7 million per company. However, this number only shows the average cost and not the potential cost. Several malware attacks in 2017 ended up costing several businesses hundreds of millions of dollars. Mondelez attributed a 3% loss in quarterly growth rate to the Petya malware attack. Reckitt was hit even harder by the same attack, losing 1% in their annual growth rate. However, the losses felt by these companies, and others in the consumer goods and food processing industries, are still minimal. These sectors are not even the prime targets for cyber attacks. It is the financial services industry and energy sector that are losing the most money from cyber attacks.
These monetary losses can be initially measured by delays caused when company systems are attacked and organizations are not able to take or fulfill orders. However, there are additional costs that trickle in over the coming months.
Consumers expect their information to be kept safe. They trust the brands that they buy from to do this. When U.S. consumers see that companies are upholding their end of the deal, securing customer personal and financial data, the vast majority of them stay loyal to the brand. It is when organizations are breached and they become victim to a cyber attack that customers begin to have doubts. They no longer feel comfortable entering their card information on the company’s website. New customers attach a stigma to the business and its products or services. Regaining consumer trust can take years and without the ability to retain current customers and bring in new ones, an organization will not be able to compete.
Most companies think of a cyber attack as an isolated incident. It happens and then it is over. Unfortunately, this is not how it works. The effects of cyber attacks linger. Most of the time there are countless issues that have to be resolved and every division is all-hands-on-deck. According to a recent study, ransomware cyber attacks take roughly 23 days to recover from and attacks that involve inside cooperation usually take about 50 days to sort out.
This means that a significant portion of the workforce is dedicating their time and labor to recovery efforts instead of business-as-usual, putting a company weeks, if not months, behind schedule. On average, this will set an organization back $300 per employee per day, not including executive level staff.
In 2015, 159 million sensitive information records were stolen. In the first six months of 2017, this number jumped to 2 billion. The growing trend of cyber attacks is clear and, much of the time, the attackers are after data. As illustrated through Ginni Rommety’s quote, data is invaluable. If a cyber attack breaches a company’s database, everything from proprietary company data to customer information could be stolen.
If it is proprietary company information that is stolen, a company’s private data that helps them to compete could become public, destroying their competitive edge. If it is customer data, not only is customer trust lost, but there are also hefty legal fees, penalties, and fines that an organization will be required to pay. Target is a great example of this. Because of a 2013 data breach that they were victim of, they were forced to pay out nearly $19 million in settlements.
Too many executives forget that cyber attacks effect more than systems, processes, and public opinion. Attacks can also damage physical items that the company owns. If ransomware is spread to every single employee laptop, computer, tablet, and phone, it is likely that every single device will need to be replaced. If company machines are hacked into, it could cause them to malfunction and shut down, forcing the company to purchase new machinery. While this damage does not make up the most substantial portion of the cost of a cyber attack, at only 3% in 2016, if put into a dollar amount it can run into the hundreds of thousands, if not millions.
A recent assessment found that about 85% of business assets are digital. This estimate makes it easier to understand how a digital attack can create serious investor and shareholder doubts. This is especially true for smaller companies, as they typically do not have comprehensive infrastructure in place to handle a solid internal and external response. Additionally, their brand recognition is generally not high enough to encourage shareholders to remain loyal. However, it should not be presumed that large companies can not suffer as severe a blow to their value from a cyber attack. A shareholder loss in confidence, following three data breaches, is likely what allowed Verizon to purchase Yahoo for $4 billion less than was offered before the breaches. Another example can be seen through TalkTalk, which lost 40% of its value during the four months following a cyber attack.
There is no two ways about it. Cybercrime is costly for any company and it will only become more so in the coming years. For this reason, organizations need to prepare themselves with better security tools, processes, and systems.