What IS the true cost of a Cyber Breach? Having worked in the technology sector for many years, and more recently specialising in the cyber security space, I often read articles around ‘the true cost of a cyber security breach’.
As a security champion and seasoned consultant to both the government and private sector, I feel as if I should be promoting fear mongering and jumping on the band wagon, applying scare tactics and enforcing this style of selling for financial gain. However I feel uncomfortable with throwing unsubstantiated numbers around and generalising on events that we know very little or nothing about, especially when it comes to private businesses being compromised.
Having read numerous articles there seems to be a massive variance here without anyone actually having solid statistics, cross-referenced against all the scenarios. Granted AHPRA & AGO would have some statistics, but this would only be relevant to a handful of larger organisations that responded to the surveys or have in fact had a reported breach. Again, this doesn’t support the multiple articles substantiating breach costs of A$100k and others suggesting costs up to US$7m. Albeit these articles apply to varying organisations based in different locations on a global scale that will be governed by different compliance laws. In essence, the cost of the breach depends on the sector, what has been taken, reputational damage and what the penalties are around this, not excluding the response time needed and other mitigating factors.
I find it hard to make a generalist statement that a breach would cost upward of “x” amount of millions of dollars, these figures would seem to apply to less than 10% of the corporate market (large corporates). The remaining companies wouldn’t be able to afford a breach at that kind of cost, it would fold the company and I don’t hear a lot about companies going out of business due to a breach (not to say there hasn’t been any).
So, removing all the noise and the fear mongering from the equation, there is no simple answer to this. It is hard to track as the majority of private sector companies are not regulated here in Australia. Perhaps when the mandatory breach notification laws are passed and we have more information we can accurately make decisions on the actual cost of a breach within specific industry sectors, types of breaches and the knock-on effects this has had to companies. Then, and only then, can we advertise and label a breach with a specific price tag in mind.
Some Managed Security Service Providers (MSSP) may have some statistics and information surrounding breaches, especially if they have a large volume of customers. Although the large volume of customers would still only apply to a small percentage of the market, again, these would be speculative numbers that would generally not be released due to sensitive information and confidentiality issues, nor would it give them the ability to make mass generalisations on the cost of an average breach.
The point here is to not ignore the fear mongering but to take it with a pinch of salt. Do not be complacent and think it will never happen to you because the fact of the matter is, it probably will. Various hacker groups look for SMB companies to test their malware before they hit the large corporates so if anything, this makes the SMB sector a far greater target than the larger institutions.
Ensure you are having regular security health checks and test your critical infrastructure, make sure you have end point protection, Next Gen Firewalls and a solid Incident Response Plan in place to deal with the technology aspect and possibility a breach. I’d also recommend you have regular and appropriate staff training in place to deal with the human element.
Partner with a security consultancy that takes the time to understand the risks faced by your business and has a great view of your particular industry vertical. Make sure they will be able to identify what specific risks to that particular industry are applicable and understand if there are specific events that have affected organisations in your competitive landscape allowing you to mitigate the risks and bolster your defences where needed, rather than throwing budget into areas that you feel you have to because you have succumbed to the fear mongering!
Mitigating the risk can often be a complex process, some quick wins to be thinking about: Patching applications, restricting admin privileges, application whitelisting and regular re-enforcement of training to your staff to prevent Phishing attacks – which has proven to be the main instigator of successful cyber-attacks. Be prepared, have a plan and stay ahead of the bad guys as much as you can but don’t be blind-sided by tactical fear mongering and crafty marketing.