When it comes to calculating the true cost of cyber-attacks, there are factors to consider beyond immediate financial and productivity losses. If you’re considering the cost of prevention versus recovery, here are some of the factors you need to know.
What is the true cost of cyber-attacks? On a macro scale, it’s huge – a recent report by the Cabinet Office put the cost to the UK economy at £21 billion. But what about to your organisation? If your organisation is affected by a ransomware attack, you have two choices: pay the ransom, or recover the files to a pre-encrypted state. Nobody wants to pay a ransom to cybercriminals, but this may be the most economical means of recovery if your disaster recovery and business continuity provisions don’t allow for rapid recovery.
In order to justify cyber security investment, you will need to be able to establish the difference between prevention and recovery costs. In this blog, we’ll take you through some of the factors involved in calculating the true cost of cyber-attacks.
The True Cost of Cyber-Attacks: Key Areas to Consider
When calculating the cost of cyber-attacks, there are typically four areas that are measured: cost to fix, revenue loss, productivity loss and reputational damage. We’ll run through these one at a time.
- Cost to Fix. When your organisation suffers downtime, the cost to fix is totally dependent on the provisions that you have in place to support recovery. If you have outdated business continuity provisions that are unable to adequately deal with a cyber-attack, you may need to fly in specialist firms and individuals to do their best to recover your data. This will, of course, come at a premium. If, on the other hand, you have appropriate provisions in place that have been tested and are known to support the rapid recovery of systems and data, your cost to fix will be significantly lower.
- Revenue Loss. How important is system uptime to your organisation’s revenues? For some more ‘traditional’ businesses, an IT outage may not be too damaging. But for many modern businesses, especially those that carry out sales and marketing online, downtime can result in significant losses in revenue. Consider the systems that your business relies on to bring in revenue, and calculate how much revenue the systems account for. As an example, transactions on your website may account for £12,000 of revenue a day. If your website is unavailable for three hours, this will mean around £1,500 of lost revenue – more if the website is down during peak hours.
- Productivity Loss. Of all the factors that need to be considered with the cost of downtime, productivity loss is perhaps the most significant. Having employees unable to work is financially damaging to any business, and the longer they remain unproductive, the costlier it becomes.
- Reputational Damage. The reputational damage of a cyber-attack may feel less tangible than financial and operational damage, but it is important to consider. Organisations that trade on their reputation are likely to lose considerable consumer trust if they suffer downtime or a data breach. Consider your own purchasing habits – would you purchase from an online store you knew had leaked customers’ credit card information in the past?
These key areas are essential considerations when calculating the true cost of cyber-attacks. However, if they still feel a little intangible, we’ll take you through a costed example in the following section.
Prevention Versus Recovery: A Costed Example
Consider an outage at a 50-person office that lasts one business day. If the average annual salary in the office is £30,000, one day of downtime will cost the business over £11,400, factoring in a drop in efficiency of 50% for two days.
With ransomware attacks, you should consider the impact both of downtime and of the need to roll-back for an extended period. Recovery from a ransomware infection requires either identification of the time of infection or, more commonly, the recovery and testing of multiple restore points until a clean environment is confirmed.
Let’s say that a ransomware infection impacts a finance system, affecting a team of five users. For our example, the average salary of each staff member is £35,000 per year. It would not be uncommon for the recovery window of such an infection to cause three days of downtime, during which systems are rebuilt and tested, until at last a clean recovery point is found from a week ago.
For the next two weeks, the finance department not only has to recover from three days of outage, but they have also lost the previous week’s work. The efficiency of the team is impacted: not only does the department need to continue to process the normal day-to-day transactions, but they must also spend a considerable amount of time identifying and reproducing the work lost over the next two weeks. The total cost to the business is £6,700 for three days of outage only affecting five members of staff!
Put in these terms, the preventative costs of investing in cyber security suddenly don’t seem so extensive when compared to the cost to recover.
Prevention is Better Than Cure
One small business in the UK is successfully hacked every 19 seconds, according to Hiscox. Around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful. That equates to around 1.6 million of the 5.7 million SMBs in the UK per year. These statistics should influence your thinking when it comes to cyber security prevention versus recovery.
Ultimately, cyber security is a journey, not a destination. Any investment you make should be agile and flexible enough to meet both current and future demands. Six Degrees offers the capabilities and expertise you need to ensure business continuity in 2021 and beyond.
Ready to learn more about how we can keep your organisation secure? We recommend starting with our Aegis Cyber Security Maturity Assessment. Six Degrees conducts a comprehensive cyber security maturity and benchmarking assessment, delivered and managed in a consultant-led approach that provides you with point-in-time or ongoing visibility into your organisation’s security posture.
The Six Degrees Aegis platform will compile a detailed evaluation of your organisation’s cyber security readiness and your ability to address weaknesses, highlighting potential security gaps and making recommendations to reduce vulnerabilities. It draws on recognised standards and approaches including ISO/IEC 27001:2013, Cyber Essentials and NIST 800-53 to deliver a set of questions that cover a range of security domains.