It doesn’t look like this will slow down in 2022, with large-scale attacks on KP Snacks, the Red Cross, Ukraine, Canada, and North Korea all hitting the headlines in recent weeks. While attacks hurt big businesses, down country operations and test customer trust, they’re not typically an extinction-level event. For smaller businesses, the threat is just as high, but their chances of making a full recovery are considerably slimmer.
The impacts of a cyber-attack are unique to each organisation, dependant on the timing and duration, and the industry in which it operates. For example, a data breach may have more financial consequences for the financial sector than, say, in manufacturing. And there is no doubt that the aftereffects of an attack on a nation state will be felt operationally, far and wide. For most business however, there are five common impacts that should be considered when evaluating their security posture, including:
Loss of customer and stakeholder trust can be the most harmful impact of a cybercrime, especially when considering the overwhelming majority of people would not chose to do business with a company that had been breached, particularly if customers’ data had been exposed. This can translate directly into a loss of business, as well as devaluation of the brand you’ve worked so hard to build. Although on a case-by-case basis it’s difficult to quantify the erosion of reputation due to a data breach, according to one industry insider speaking with ITPro, “we see a 60 percent failure rate among SMBs after a company discloses a breach within 6-12 months, partly due to confidence issues and partly due to recovery challenges.”
While a cyber-raid on a big-name bank may net the attacker a sizeable haul, smaller businesses’ defences are typically less sophisticated and easier to penetrate, making them a softer target. Cyber-enabled fraud leads to monetary losses, but stolen data can be worth far more to hackers, especially when sold on the Dark Web. A report by The Digital Shadows Photon Research team found that the average price for commercially traded logins on the Dark Web was a ‘modest’ $15.43; but when it came to domain administrator accounts that give access to internal business networks, (typically sold by auction because of their value to hackers), the price spiked to an average of $3,139 and, in select cases, reached an eye-popping price of $120,000. Intellectual property theft may be equally damaging, with companies losing years of effort and R&D investment in trade secrets or copyrighted material – and their competitive advantage.
Cybercrime costs small businesses disproportionately more than big businesses when adjusted for organisational size. For a large corporations, the financial impact of a breach may run into the millions, but at their scale, the monetary implications are barely a blip on the radar. According to the latest data breach report by IBM and the Ponemon Institute, the average cost of a data breach in 2021 is $4.24M, a 10 percent rise from its average cost of $3.86M in 2019. Even more troubling is the report’s finding that the longer a breach remains undetected, the higher its financial impact. For example, data breaches that were identified and contained within 200 days had an average cost of $3.61 million. But breaches that took more than 200 days to identify ad contain had an average cost of $4.87 million ― a difference of $1.26 million.
As if direct financial losses weren’t punishment enough, there is the prospect of monetary penalties for businesses that fail to comply with data protection legislation. In May 2018, the General Data Protection Regulation or GDPR went into effect in the EU. The enforcement powers associated with the law are significant. Fines for violations can reach up to 20 million Euros or 4 percent of a firm’s global annual revenue, per violation, whichever is larger. In 2020 European data agencies issued £159 million in fines for violations of GDPR, where the single highest penalty imposed was a £42 million fine French authorities issued to Google.
In addition to the economic costs of incident response, there are several intangible costs that can continue to blight a business long after the event itself. The impact of operational disruption tends to be woefully underestimated – especially among firms that have little in the way of formal business resilience and continuity strategies – and small organisations that already struggle to manage cash flow may face crippling rises in insurance premiums or see an increased cost to raise debt.
Cyber security, resilience and incident recovery isn’t an IT problem. Instead, it’s a business imperative. With cyber criminals adopting more sophisticated attack methods, and data continuing to play an expanding role in operations, continuity strategies must become a priority. Implementing a comprehensive cyber security response strategy today can help organisations avoid having to shut up shop if hackers strike tomorrow.