By Jeff Welgan, Head of Executive Training, N2K
This is the second post in a six part series about cybersecurity risk. Each week we discuss a different category of enterprise risk and how cybersecurity impacts those risks at the board and executive level. This week we focus on Financial Risk, represented by the natural disaster of drought. Use the links below to access the other articles in the series:
Cybersecurity Seen as an Influencer to Known Areas of Risk – Part One
Financial Risk: The Costs Continue to Add Up Following Breaches
Droughts are bad. At first glance, they seem to only affect water, drying up creeks, rivers, and lakes. But if left unchecked, this force of nature can drain the productivity and life out of a society by threatening animals, crops, and even humans. Cyber attacks can have similar effects by draining an organization of its existing financial resources and creating costs that plague a company for months or even years following an incident. It’s hard to exaggerate the financial consequences of a cyber incident. To understand this risk category, we can begin by breaking it down and identifying the main types of costs: direct and indirect.
|Direct Costs||Indirect Costs|
U.S. data breaches in 2015 averaged $7.06 million in financial costs. Let’s take a look at a real world example to better understand how an incident can produce these types of consequences.
The Sony Breach
In November 2014, a hacker group called Guardians of Peace, rumored to be affiliated with the North Korean government, infiltrated Sony’s systems and released confidential business information. Most famously, the attackers leaked a copy of the studio’s film The Interview in addition to other films, company emails, and the personal information of Sony’s employees and their family members. Direct financial costs totalled $2.3 million.
- Detection and Escalation: $1 million
- Notification: $.2 million
- Post-incident response: $1.1 million
The $2.3 million direct costs were dwarfed by a slew of other breach-related costs including the impact of low box office sales of the film’s limited theatrical release – many theaters declined to show the movie in response to the terroristic threats following the film’s leak. As a result, The Interview only grossed $6 million in theaters in the weeks following release compared to the over $41 million budget to make and an estimated $30 million to market. Sony received praise for its decision to release the film via digital streaming channels and recouped more than $40 million; however, one can only speculate how much additional revenue the firm would have made through a traditional box office release.
Additionally, direct financial costs didn’t account for the ongoing lawsuits, and perhaps most of all, damage to Sony’s reputation. The leak exposed Sony Pictures candid commentary on many high profile stars, including A-list actress Angelina Jolie, who hasn’t worked with the studio since the incident. One commentator, Kowsik Guruswamy, CTO of the stealth startup Menlo Security, argues, “The real cost to Sony’s reputation in the industry is probably in the hundreds of millions, perhaps even $1 billion plus.”
So, let’s do the math:
- Direct financial costs: $2.3 million
- Box Offices Net Loss: approximately $25 million
- Sony tarnished brand reputation cost: Unknown
Total Direct and Indirect Costs: > $27.3 million
The direct financial costs for an incident can be severe but may often only represent a fraction of the total financial impact of a cybersecurity breach. We recommend the following actions to reduce the financial impacts of a cyber incident.
Replenishing the Well: A Three Pronged Approach:
- Ensure that response plans are in place. Organizations should address cyber events by preparing Incident Response Plans and Business Continuity Plans (BCP) that undergo regular testing and updating. These measures can produce outsized benefits if an incident occurs. For example, during an average data breach in 2015, Business Continuity and Incident Response Plans reduced the per record cost of a data breach by $9 and $16 respectively.
- Train your entire workforce. Phishing continues to be the most successful attack vector. Phishing campaigns have a 30% success rate of being opened yet only 46% of companies require cyber training. Even for companies that implement training, 29% of C-Suite executives– the most sought-after targets- are exempt. Instituting awareness training programs can limit opportunities for the adversary and reduces the overall costs associated with a data breach by $9 per record lost.
- Encrypt data. Sensitive data should be protected both at rest and in transit without exception. These measures will cut down on breach-related costs and help you avoid certain attacks in your threat environment. For example, encrypting data alone will reduce the cost of a breach by $13 per lost record.
Cyber-related risks evolve quickly and can affect your entire organization. Understand your financial risks and plan accordingly. Need more training? Contact us. N2K provides training in the boardroom, at board and executive retreats, and in workshop settings.
Stay tuned for the next blog in this series covering Compliance Risk.