September 2021 - CyPro

by Rob McBride
September 26, 2021
cost-of-cybersecurity-breach-in-2021-1280x720.png

What would the cost of a cybersecurity breach be to your business?  Many businesses struggle to estimate the true impact and often under-estimate the costs involved. For example, a recent study showed the average cost of a cybersecurity breach for an SME is $149k.  However, nearly 70% of companies place their estimate at less than $25k.

The total cost of a cybersecurity breach is rising. Trend analysis shows that 2021 has the highest average cost in 17 years.

Many SMEs believe that they’re too small and insignificant for cybercriminals to attack, but the reality is SMEs are often the preferred target – not because they are more lucrative, but because they’re generally easier to penetrate.

Consider that 70% of SMEs experienced a phishing attack in the last three months, and yet only 38% report applying security patches as soon as they become available.

Understanding the true cost and full impact of a cybersecurity breach on your business is important to:

  • Make the board aware and get their sponsorship for remediation work.
  • To prioritise security work over other business critical work.
  • To make cost/benefit decisions over what security defences to implement.

The cost of a cybersecurity breach is hard to quantify

Even with the benefit of hindsight, it’s very difficult to accurately quantify financial risk exposure to a cyberattack. Take for example ‘mega breaches’, where up to 50m records are lost. The cost of the breach ranges from £30m to £263.6m – a huge difference.

If you’re the sort of company with 50m records, you’re likely to be a larger enterprise with big security teams, big budgets and big tech. But SMEs don’t have this luxury because often they lack the tools, skills and resources to do their job effectively – 57% of CISOs admit that their ability to effectively protect their companies is much lower than they would like it to be.

However, with cybersecurity breaches regularly hitting the headlines, the costs involved are becoming more visible. It’s become easier to compare your business to a competitor, or similar company in another sector. But every business has unique factors.

At face value you might offer the same products/services, but your operations, internal structures, processes and systems are different, therefore you can’t simply take data from another company and directly apply it to yours.

The main costs of a cybersecurity breach

At a high level, there are five core costs you incur following a breach:

Loss of revenue: nearly 40% of the costs encountered following a breach are attributed to lost business, including customer churn and lost revenue due to system downtime.

Response: on average it takes 280 days to identify and contain a breach. For every day that passes with a threat actor inside your network, the costs continue to increase.

Regulatory fines: under GDPR, fines can hit the higher maximum amount of up to £17.5 million or 4% of the total annual worldwide turnover.

Reputational damage: 85% of consumers say they won’t shop at a business if they have concerns about their security practices.

Implementing mitigating controls: you might stop it happening again, but it requires additional and unexpected expenses, which range from $8k for an SME up to $69k for an enterprise.

How to perform cyber risk quantification

The FAIR (Factor Analysis of Information Risk) Institute is a non-profit professional organisation dedicated to advancing the discipline of measuring and managing information risk.

Its methodology is valuable because when so many costs associated with a cybersecurity breach are intangible – such as reputational damage – it translates and communicates risk in a language that everyone in the business understands: money.

Rather than approach operational risk from a compliance perspective, the FAIR methodology considers it from a risk-based approach. This transforms information from being seen as a technology to a business issue, which everyone has a responsibility for. And because it extends outside of the IT department, security professionals become facilitators who balance the need to protect the organisation with the need to use technology to enable the business. Then translating the risk into a monetary value, the Board can understand the exposure in financial terms for better decision making.

It works so effectively because:

  • It uses a standard taxonomy for information and operational risk;
  • The framework establishes the criteria for data collection;
  • It measures the right metrics and scales for risk factors;
  • The modelling construct helps the business to analyse complex risk scenarios; and
  • It complements existing risk management frameworks so you’re not starting from scratch.

How can we help you?

CyPro provides companies with expert governance, risk and compliance consultants who can accurately quantify the risks faced by your business and the potential financial impacts. Find out more here.