2021 has seen a marked upturn in the volume, creativity and audacity of cyber-attacks, fraud efforts and major data breaches.
Over the past 12 months the UK’s official National Cyber Security Centre has handled an unprecedented 777 incidents – a rise from 723 last year and an average of 643 since launching in 2016, according to its Annual Review.
We regularly see cyber-attacks hurt big businesses and test customer trust, but they’re not typically an extinction-level event, and many overcome them given time. For small businesses, however, the likelihood of some type of cyber incident is just as high, if not higher and their chances of making a full recovery are considerably slimmer.
Each organisation is unique in terms of the impact of a breach, dependant on the timing and duration and the industry in which it operates. For example, a data breach may have more pronounced consequences for the financial sector than, say, in manufacturing. With increasing sophistication of attacks, it is getting harder to mitigate risk. As we head into 2022, organisations of all sizes and from all industries must evaluate their own security posture. We’ve pulled together a list of the five most significant consequences of a cyber security breach to show why.
Loss of customer and stakeholder trust can be the most harmful impact of cybercrime, since the overwhelming majority of people would not do business with a company that had been breached, especially if it failed to protect its customers’ data. This can translate directly into a loss of business, as well as devaluation of the brand you’ve worked so hard to build.
Although on a case-by-case basis it’s difficult to quantify the erosion of reputation due to a data breach, according to one industry insider, “we see a 60% failure rate among SMBs after a company discloses a breach within 6-12 months, partly due to confidence issues and partly due to recovery challenges.”
While a cyber-raid on a big-name bank may net the attacker a sizeable haul, smaller businesses’ defences are typically less sophisticated and easier to penetrate, making them a softer target. Cyber-enabled fraud leads to monetary losses, but stolen data can be worth far more to hackers, especially when sold on the Dark Web.
A recent report found that the average price for commercially traded logins on the Dark Web was a ‘modest’ $15.43; when it came to domain administrator accounts that give access to internal business networks, (typically sold by auction because of their value to hackers), the price spiked to an average of $3,139 and, in select cases, reached an eye-popping price of $120,000. Intellectual property theft may be equally damaging, with companies losing years of effort and research and development investment in trade secrets or copyrighted material – and their competitive advantage.
Cybercrime costs small businesses disproportionately more than big businesses when adjusted for organisational size. For a large corporation, the financial impact of a breach may run into the millions, but at their scale, the monetary implications are barely a blip on the radar. According to the latest IBM report, data breach costs rose from $3.86 million to $4.24 million in 2021, the highest average total cost in the history of its reports. Even more troubling is that there is further evidence to suggest the longer a breach remains undetected, the higher its financial impact.
As if direct financial losses weren’t punishment enough, there is the prospect of monetary penalties for businesses that fail to comply with data protection legislation. In May 2018, the General Data Protection Regulation or GDPR went into effect in the EU. The enforcement powers associated with the law are significant.
Reports show that fines for violations can reach up to 20 million Euros or 4% of a firm’s global annual revenue, per violation, whichever is larger. In 2020 European data agencies issued $193 million (€159 million) in fines in 2020 for violations of the General Data Protection Regulation where the single highest penalty imposed was a $57 million fine French authorities issued to Google.
In addition to the economic costs of incident response, there are several intangible costs that can continue to blight a business long after the event itself. The impact of operational disruption tends to be woefully underestimated – especially among firms that have little in the way of formal business resilience and continuity strategies – and small organisations that already struggle to manage cash flow may face crippling rises in insurance premiums or see an increased cost to raise debt.
Have a cyber incident response and recovery plan
Cyber security and cyber incident recovery aren’t an IT problem, rather a business imperative. Adopting a comprehensive security strategy today will ensure an organisation avoids having to shut up shop if hackers strike.
Traditional disaster recovery plans, which were developed for physical disaster events such as a fire or flood, or technology infrastructure disasters like a data centre outage or power cut, are not sufficient to support the recovery process after an organisation suffers a cyber-attack. Instead, a specific cyber incident response needs to be implemented, that puts in place a clear identification process, an immediate safeguarding reaction, and a data recovery process that works quickly and effectively. This is the only way for companies to overcome the significant consequences of a cyber security breach.
About the Author
Chris Butler is Lead Principal Consultant at Sungard Availability Services.