When a cyber attack occurs (not if), the question of “How much is this going to cost us?” will quickly follow. Initial literal expenses will be the first to come to mind, but there are costs that may stretch beyond the first months and definitely beyond actual dollar figures. The true answer to the question of how much a security breach will cost comes down to preparation and a cyber resilience plan.
Immediate costs of a security breach
As soon as an organization is made aware of a security breach, there’s an immediate tab that begins to accumulate. Customer notification, credit monitoring, security investigation, legal fees, and plugging whatever hole resulted in the breach are the most obvious. If no plan is in place for how to handle even one of these items, that tab grows as time is wasted and the damage increases.
If your current cyber resilience plan is simply to stop the bleeding, you may be left with a much bigger bill than you anticipated and, more importantly, than was necessary. Yes, a cyber attack will be costly, but there are ways to lower that cost and come out the other side in one piece.
In our 2018 Security Study, we learned that 87% of our respondents suffered at least one cybersecurity breach in the past year and the average cost to recover could be as much as $3.7 million.
Keeping the business running during a security breach
Of the $3.7 million needed to recover from a security breach, only $215,000 of that is spent on actually addressing the breach. The other $3.5 million is made up of lost revenue and profitability – where the actual numbers are direct reflections of the quality of an organization’s cyber resilience.
Cybersecurity is your first, and most important, line of defense against cyber attackers, but when there’s a breach, your cyber resilience plan activates your incident response and mitigates the damage. It does this by maintaining the organization’s most critical functions so that along with out-of-pocket costs associated with a breach, you’re not also dealing with a complete loss of revenue due to a blackout period.
Our survey showed that the average organization suffered 3.75 days of network, infrastructure, or end-user downtime following a breach. A solid cyber resilience plan aims to limit or avoid blackout periods like this for critical systems so that even though an organization can’t necessarily guarantee they won’t have a breach, they can at least respond well and maintain their basic function.
Losses beyond the breach
Although blackout periods, employee work days responding to the breach, file recovery, investigation, and repairs all have measurable costs, there are losses that stretch beyond these initial dollar figures. Potential future lawsuits, increased insurance premiums, and even penalties if regulations weren’t followed may continue to add up, but an organization must also think of more abstract losses.
The damage to a brand’s reputation as a result of a security breach is wide-reaching and unfortunate. There’s no definite way to measure the loss of trust in an organization or the effect of bad press, but a drop in a business’ valuation and cancelled or unrenewed contracts can certainly be felt as a direct result of a cybersecurity breach.
Preparation will be the difference
In 2018, there’s reason to believe that your organization will suffer regular cyber attacks and will likely experience a cybersecurity breach at some point in the future. As we already mentioned, cybersecurity is essential in defending against these attacks and its importance can’t be emphasized enough in the current state of IT security. That being said, when an attack gets through, an incident response plan dictates next steps and a cyber resilience plan makes sure that an organization can survive beyond the attack.
A carefully strategized, and regularly tested, incident response plan will act as a playbook for responding to an attack, dictating each team member’s role and priorities to recover what needs recovering, patch what needs patching, and maintain the systems that will keep revenue loss to a minimum. Without this playbook, individuals are forced to make quick decisions based on limited knowledge and may not always make the right ones. It shouldn’t be a surprise that regardless of the fact that most organizations are attacked every day, and the stakes are high, many people we surveyed don’t feel confident in their organization’s ability to deal with a breach. Insufficient cyber resilience plans might be the reason for this lack of confidence.
Cyber resilience plans are proactive. They allow organizations to remain in control during a cybersecurity breach and follow through with decisions that were made before a crisis instead of during one.