How Cyberattacks Impact Your Business
Cybercrime is big business. It is projected to inflict $6 trillion (US) worth of damages in 2021. That’s higher than the GDP of Japan. With a projected growth of nearly 15% per year through 2025, it’s only a matter of time before a business becomes a target.
The impact of a cyberattack can last well beyond the event. According to an IBM report, the consequences of a data breach can be seen more than two years after a compromise. The primary areas of impact are:
- Detection and Escalation
- Response and Remediation
- Post- response
Each of these areas has a financial impact on an enterprise. To what degree depends on the cybersecurity capabilities of an organization.
Detection and Escalation
On average, it takes a company 280 days to detect a data breach. That’s nine months that cybercriminals have been moving through your system, stealing information. Even when it’s a ransomware attack, many hackers are stealing data before they launch the ransomware. They then threaten the company with the publication of stolen data if the ransom is not paid.
For example, Grubman Shire Meiselas & Sacks, a law firm specializing in media and entertainment, suffered a data breach in early 2020. The hackers stole personal information on the firm’s celebrity clients, including Lady Gaga, Bruce Springsteen, and Sir Elton John. When the company did not pay the initial ransom, the hackers published select information to the Dark Web. To date, the firm has not paid the $42 million ransom, which is how the FBI recommends handling ransomware attacks. The company has hired private individuals to help recover stolen data that is still available online.
Without paying the ransom, the law firm has incurred costs for the following services:
- Investigative and forensic activities to assess and remediate the breach.
- Audit and assessment services to ensure the integrity of the system.
While the costs for services rendered can be calculated, there are the hidden costs of crisis management which involves communicating with executives, board members, and even shareholders. That does not include the charges for formal notification processes.
Depending on the industry, organizations may have to adhere to notification regulations. Most states have laws regarding the notification of consumers when financial data has been compromised. Some states, such as California, include health and other personal information in the notification regulations. The length of time from detection to notification can range from 45 to 90 days. Failure to comply can result in fines.
The notification process also involves the following:
- Determining regulatory requirements
- Contacting regulators
- Ensuring compliance
This process may require outside experts to validate a company’s corrective procedures.
The notification process takes company resources. Employees have to work with outside regulators to address compliance violations. The staff has to prepare written notification of a data breach to the impacted consumers. The reallocation of resources to address the aftermath of an attack means other priority tasks must be delayed.
IBM’s Data Breach Report identifies three ways a cyberattack can result in lost business. The most immediate impact is business disruption and revenue losses as a result of downtime. A recent survey estimated that an hour of unplanned manufacturing downtime costs $260,000. Based on recent attacks, downtime can be calculated in days rather than hours. If a company is running a 24/7 operation, the costs can run into the millions.
Most businesses that suffer a cyberattack lose customers. According to a recent article, 56% of consumers will stop doing business with a company that has had a security breach for at least 12 months. In some cases, they never return. What company can stay in business if they lose half of their customer base?
To compensate for lost customers, companies have to acquire new ones, which costs money. Although companies do budget for customer acquisitions, they do not expect to acquire 50% of the existing customer base. Add to the immediate customer loss the long-term impact of a successful attack on a company’s reputation.
Consumers trust that their information will be protected or that the products they want will be available. When that trust is disrupted because of a cyberattack, it isn’t easy to rebuild the relationship. People may continue to do business, but they are more cautious and perhaps invest less in an organization’s products or services.
What happens after the breach is contained can be the most costly, depending on the industry. If credit or debit cards are involved, a per record fine is assessed along with a monthly penalty until the system is brought back into compliance. While out of compliance, no payments can be processed.
In 2008, Heartland Payment Systems suffered a data breach that led to over $10 million in fines and penalties. Many of the penalties were assessed after the breach was evaluated by card companies such as VISA and MasterCard. Most companies also incur additional legal fees whether penalties are or are not involved.
Added staff may be required to handle questions about the attack, whether from consumers or the media. Companies may need to provide incentives to get customers to return. They may be product discounts, cybersecurity services, or refunds. If accounts were compromised, organizations may have to create new accounts or issue new credit or debit costs. How long the post-response period lasts depends on the industry, the company, and the size of the attack.
Minimize the Impact
Many companies believe they are too small or lack anything of value to worry about hackers. Unfortunately, that’s false security. Every 11 seconds, 24 hours a day, 365 days per year, a cyberattack is launched. That’s close to 8,000 attempts per day.
These aren’t isolated attempts. Hackers are organized criminals that troll the internet looking for systems with vulnerabilities that can be exploited. If they happen to cruise by a server that lacks the latest security patch, they’ve found their next target. The only way to protect against a successful attack is to have the best cybersecurity defenses in place. If your business is in the greater Houston area, contact us for help in strengthening your cybersecurity.
At ChaceTech, our mission is to provide fast reliable information technology solutions to our customers. We know that your time is valuable and that being satisfied with our services is paramount. We strive to fulfill your every need when it comes to your Information Technology environment. ChaceTech is your next Houston managed IT services company.