Cybersecurity experts often say it’s hard to quantify all of the financial hits a company takes in the wake of a bad security incident. A new report and survey from the Center for Strategic and International Studies attempts just that, paying attention in particular to the hidden costs that don’t always show up on in the annual budget.
In 2018, the organization estimated that cybercrime was siphoning more than $600 billion from the global economy; two years later that number is inching towards $1 trillion in total losses. While some of that can be attributed to better reporting around cybersecurity incidents, it also comes at a time when the volume of e-crime and ransomware attacks have exploded across industry, government and school systems.
One of the most puzzling findings from the survey is that more than half of organizations reported not having plans in place to both prevent and respond to a cyber incident.
Some of that can be explained by companies reporting having one but not both. However, it also demonstrates how many companies tend to emphasize security prevention over response. For instance, companies in the U.S. were twice as likely to have a plan to prevent IT security incidents than they were an incident response plan, and three times more likely in the United Kingdom. Even among those who have IR plans, few were confident in them, again speaking to a lack of investment and organizational buy-in around cybersecurity.
“Out of the 951 organizations that had a response plan, only 32 percent said the plan was actually effective. Usually, the board or the c-suite was not involved in developing the plans,” wrote CSIS authors Zhanna Malekos Smith, Eugenia Lostri and James Lewis.
It speaks to the startling lack of overall preparedness that remains within the business ecosystem, even as digital threats reach record heights.
“A lot of organizations say ‘I want to have the absolute, lowest potential to have a cyber incident, so I’m going to be all about prevention,’” said Steve Grobman, chief technology officer at McAfee, who underwrote the report and contributed research. “What we found is, even the best defended companies will still have gaps, still have issues like humans, where people become the intrusion vector through spear phishing or misconfiguration and therefore it’s critical you not only have a protection plan, but…how you recover.”
The report also calculates and details a range of other hidden costs that are often difficult to quantify: how much a business loses in damage to their brand, lost opportunity costs, downtime and loss of productivity within the company. If employee data or internal communications are leaked publicly – as was the case during the 2014 Sony hack – it can lead to further embarrassment, air the company’s dirty laundry and sap employee morale.
Other data breach post-mortems have found additional costs in the form of lawsuits, increased insurance premiums, victim notification services, emergency crisis communications or PR and other activities.
The hit a company’s reputation takes in suffering a breach can often be compounded by how they choose react, both internally and with the public. Only about one in four level with their customers about the impact following a compromise, and defensiveness, secrecy or attempts to downplay an incident can all lead to significant decreases in consumer confidence and loyalty going forward.
“There has been increasing awareness by consumers of the use and misuse of their data, and expectations regarding data protection are increasing,” the authors write. “Transparency and informing customers when their financial or personal data may have been compromised are essential to maintain trust and manage a crisis.”
Downtime can also impact the productivity of certain departments – particularly engineering – and upend tightly regulated business schedules. During the 2017 WannaCry attacks, the U.K.’s National Health System had to take a third of their systems offline and cancel approximately 19,000 appointments. Overall the nation’s health system took a £92 million ($123 million) hit in known costs. In addition to security improvements, Anthem, ranked 29 among the Fortune 500 list, reported spending $2.5 million on consultants, $112 million on credit protection and $31 million notifying customers following their 2015 data breach.
The impacts of the COVID-19 on the IT operations of businesses and the behavior of threat actors has been well documented over the past nine months. A significant number of organizations have moved their operations from analog to online or the cloud. They tend to have less digital experience and are increasingly viewed by threat actors as soft targets in the post-pandemic landscape. The report’s pandemic section touches on how these dynamics have particularly affected the health care and education spaces.
Less often discussed is which dynamics will endure past next year, when a vaccine is expected to be widely distributed and the original impetus for widespread telework dissipates. Grobman said the virus reset baseline security processes for a huge chunk of industries and cited cloud migrations, secure remote access tools, secure cloud edge and increased use of multifactor authentication as trends that would survive long beyond the pandemic.
However, he flagged one problem not many are talking about: the millions of unused, unmaintained desktop computers and IT assets that have been collecting dust in empty offices over the past year since businesses sent their workers home in March. As IT and security teams face a return to in-person working in 2021, they will have to have a plan in place to slowly bring those machines on and patch them without putting their enterprise at a heightened risk.
“There’s a lot of equipment that’s been powered off for a year. That has a year’s worth of vulnerabilities that is going to [cause problems] if you just start turning stuff on,” Grobman said.