This post is also available in: 日本語 (Japanese)
This is the first of a two-part blog series, breaking down the cost of dealing with a cybersecurity incident versus the cost of investing to prevent an incident. Learn the value of cybersecurity and how to invest your money wisely.
Abstract: It seems as though each day there is a new headline in the U.S. declaring that yet another organization has fallen victim to a cybersecurity attack. In recent years, these headlines tend to also reference monumental fines, sliding stocks and diminished customer loyalty. Many executives fail to consider the web of “hidden costs” associated with responding to and recovering from a cybersecurity incident. In this article, Palo Alto Networks Principal Consultant, LeeAnne Pelzer, explores some of the less frequently considered cost of cybersecurity factors that are embedded within the modern cybersecurity incident, as well as ways organizations can financially benefit in the long-term by proactively investing in their cybersecurity.
Cybersecurity incidents are expensive. According to IBM and the Ponemon Institute’s 2020 “Cost of a Data Breach” report, it was determined that the average total cost of cybersecurity breaches in the United States of America, between August 2019 and April 2020, was $8,640,000. Cyber incidents are no longer a far-fetched concept within the realm of what could possibly go wrong. The general consensus among industry experts is that an organization facing a cybersecurity breach or attack is not a matter of “if,” but rather “when.” Even seemingly “minor” cybersecurity incidents can have devastating effects on the financial, reputational and operational success of an enterprise.
Although it may appear as though massive conglomerates are the only ones paying big bucks after a breach (eBay, Anthem, and Equifax, just to name a few) this could not be further from the truth. Cyber criminals are aware that small businesses often have a small security budget and could be easier targets. Novice hackers have a much greater chance of successfully infiltrating an organization with low-funded security solutions and minimal resources (financial, human, technical, etc.). We can crunch some simple numbers to demonstrate the cost of cybersecurity breaches even in an objectively miniscule one. Multiple sources have reported that the average cost per compromised customer’s Personally Identifiable Information (PII) record was around $150 in the year 2019. This means that if only 10,000 customer records were compromised, a small business could face breach costs starting at $1,500,000. If we increase the number of breached customer records to 50,000, we are looking at costs in the neighborhood of $7,500,000.
What about cybersecurity incidents that don’t necessarily involve breached customer PII records? According to Unit 42’s 2020 Incident Response & Data Breach Report, ransomware was the most common compromise method of 2019. This report paints a picture of why ransomware is such an attractive choice for cyber criminals, stating, “If you’re a threat actor, there is simply no better way to monetize illicit access to a network than encrypting your victims’ files and demanding payment.” Ransom demands are costly and keep trending higher. Unit 42 reported that requested ransom amounts rose nearly 200% from 2018 to 2019, averaging $115,123 in 2019. If that number isn’t hefty enough for you, Unit 42 also reported that the highest ransom demand witnessed over the last five years was $15,000,000, while the highest paid ransom for a Unit 42 matter was $5,000,000.
The statistics laid out in the above paragraphs are only the tip of the iceberg. When it comes to cybersecurity incident costs, there are dozens of factors impacting the bottom line. In this article, we will explore a few of the less considered costs that are not likely to cross your mind unless you have navigated a breach first-hand.
While there is a large amount of reliable, publicly-available data regarding threat vectors, attack types and the high-level financial impacts of cybersecurity incidents, there fails to be a simple consolidation of cost elements contributing toward the bottom line.
Compliance with mandates, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), are a top concern of most executive boards these days and for good reason. Explicitly written on the official GDPR website, “GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses.” Of course there are many other regulatory requirements and resulting fines that may impact a breached organization, but for the sake of simplicity we are just going to explore the financial implications of non-compliance with GDPR and CCPA.
The GDPR explicitly states that some violations are more severe than others. These less severe infringements could result in a fine of up to $11,899,550 (€10,000,000) or 2% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious GDPR infringements — those going against the right to privacy and right to be forgotten — could result in a fine of up to $23,799,100 (€20,000,000) or 4% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
CCPA fines are just as intimidating as GDPR. Each time a business is found to have an intentional violation, they can be fined up to $7,500. Even unintentional violations come with a price tag of $2,500. The real sucker-punch to an organization’s wallet comes in the fact that violations can stack up. For example, if a business’s website is using third-party cookies without leveraging a cookie banner for awareness and opt-in, that organization could be committing thousands (or more!) of violations per day.
The GDPR and CCPA are great examples of how regulatory fines can quickly add significant costs on top of an already expensive situation. Each of these particular regulations are quite recent—with the GDPR coming into effect in 2018 and CCPA in 2020. As time goes on, it is almost guaranteed that we will continue to see the implementation of more stringent cybersecurity requirements via legal mandates with immense noncompliance costs.
Reputational damage costs are difficult to assign an average monetary value, given that they involve the perception of human beings. Data breaches can impact a company’s reputation in a multitude of ways — negative word of mouth, brand-bashing social media campaigns, diminishing customer loyalty and trust, preference for competitor services and a loss of business. For publicly-traded companies, this usually equates to plummeting shares, social media slurs and an up-hill journey to win back customer loyalty and faith, which is usually via free services, such as credit monitoring and a publicized roadmap of how security was improved post-breach.
An example of how a breach can result in devastating reputational impacts is the 2017 Equifax incident. Within the first week after their breach, Equifax lost four billion dollars in stock market value, and its costs directly associated with the breach totaled an additional $439,000,000 by the end of 2017. As an attempt to remedy the damage caused by the breach, Equifax offered 147,000,000 customers free credit monitoring services for one year and a waiver of the requirement that all disputes be settled through arbitration. Additionally, Equifax was court-ordered to spend $1,000,000,000 in enhancing cybersecurity measures under court oversight.
Large and small businesses alike retain counsel as a best practice when triaging a cybersecurity incident. While hourly attorney rates vary case-by-case, they tend to hover around $1000. Legal fees can quickly add up. In the case of Home Depot when the retailer was ordered to pay $15,300,000 in fees and expenses to lawyers who litigated a class action case against the organization. Regardless of the hourly rate that an organization secures, legal fees are certainly something that can add auxiliary costs to a cybersecurity incident.
It is common sense that operational downtime faced during a cybersecurity incident will result in financial strain; however, the extent of impact may be a surprise. According to Gartner, the average cost of Information Technology (IT) downtime is $5,600 per minute. This equates to approximately $336,000 per hour. However, this is the average amount and can vary drastically depending on an organization’s IT reliances and business structure. Another interesting statistic from Gartner is that, through 2021, 65% of infrastructure and operations leaders will underinvest in their availability and recovery needs because they leveraged generalized and non-tailored estimated cost-of-downtime metrics to determine their own organizational needs. Inadequate availability and recovery resources lead to a longer breach lifecycle, thus piling on additional costs. There was an average cost savings of approximately $1,120,000 when it came to breaches that were contained in less than 200 days, versus those that took longer than 200 days.
Learn how to prevent an incident by investing in cybersecurity in the second portion of this two-part series blog.
To get help preventing and combating cyber incidents, contact the Unit 42 Incident Response team.
- Key Considerations When Building a Formal Incident Response Plan https://start.
- Ransomware Readiness Assessment https://www.
paloaltonetworks.com/ ransomware-readiness- assessment
- Cyber Risk Management Worksheet https://www.
paloaltonetworks.com/ resources/datasheets/unit42- cyber-risk-management.html