The high cost of a security breach

PETALING JAYA, July 18, 2013 - $649,000 is the average cost incurred by large companies in the wake of a cyber-attack, according to the 2013 Global Corporate IT Security Risks survey conducted by B2B International, in conjunction with Kaspersky Lab.

Any cyber-attack can cause damages for a company, but how can those damages be quantified in financial terms? In 2013, experts at B2B International calculated the damages stemming from cyber-attacks based on the results of a survey of companies around the world.

In order to get the most accurate picture of costs, B2B included only incidents that had occurred in the previous 12 months; the assessment was based on information about losses sustained as a direct result of security incidents. This comprised two main components:
·       Damage resulting from the incident itself – i.e. losses stemming from critical data leakage, business continuity,and the costs associated with engaging incident remediation specialists;
·       Unplanned ‘response’ costs required to prevent future, similar attacks, including hiring/training staff and hardware, software and other infrastructural updates.
Researchers did not incorporate data about some losses and expenses incurred by a comparatively small number of surveyed companies, such as costs stemming from the need to release a public statement about the incident.

Cost structure
After crunching the numbers, it appears that the lion’s share of losses are caused by the incident itself — lost opportunities and profits, as well as payments to third-party remediation specialists, average out at $566,000. “Response” expenses for hiring and training staff, as well as updating the hardware and software infrastructure adds an additional average payment of $83,000. Incidentally, damages may vary depending on the region in which the targeted company operates. For example, the largest damages were associated with incidents that involved companies operating in North America — an average of $818,000. The number was only slightly lower in South America at $813,000. Western Europe saw a lower, but still substantial average amount of losses from cyber-attacks, coming in at $627,000.

SME costs
The costs of a cyber-attack against small and mid-sized enterprises are lower than for large corporations. Nonetheless, considering the smaller size of these companies, the amounts still deal a significant blow. The average loss resulting from IT security incidents for mid-sized companies came in at roughly $50,000, of which approximately $36,000 is accounted for by the incident itself, while the remaining $14,000 comes from other associated expenditures. The largest average losses from cyber-attacks among small and mid-sized businesses were recorded at $96,000 for companies in Asia-Pacific. Second place went to companies in North America, with average losses of $82,000. The lowest losses from cyber-attacks were seen in Russia, at $21,000 on average.
The survey also revealed that in some cases the financial losses incurred by small companies are accompanied by other losses amounting to approximately 5% of annual revenues. In one case, a company lost all of its business in a region where it had been successful prior to the incident.

Proper protection
A key lesson to be drawn from this study is that even the most destructive and expensive attacks could have been prevented. Attacks exploited holes in company security that could have been patched up if only the targeted corporations had used quality IT security solutions and managed IT infrastructure appropriately.

Kaspersky Endpoint Security for Business provides effective protection against all types of cyber threats, including targeted attacks. It also enables key controls such as automatic patch management and vulnerability scanning, capable of ensuring regular, consistent updates to corporate endpoints, in addition to the secure integration of mobile devices into the corporate network.

Typically, companies that have fallen prey to cyber-attacks only come to understand the importance and value of these solutions after an incident occurs – meaning additional, preventable costs. A simple comparison of the scale of expenses against the costs and damages caused by a cyber-attack shows that, in the overwhelming majority of cases, investment in quality, effective IT security would have been considerably less than the costs incurred following a breach.