Share this article on:
The long-tail costs of a serious cyber incident are often underestimated or unaccounted for, and this has an impact on cyber security teams and investment levels in appropriate defences.
There’s no shortage of annual studies that attempt to calculate the financial cost of cyber attacks and data breaches. The problem is that these efforts are often incomplete and put a price on only part of the incident – for example, the number of records stolen or people affected.
This can be misleading and underestimate the true cost of a data breach – with new research by ExtraHop showing that attacks are often much more expensive than reported.
Public companies experience a long tail of financial underperformance following a security incident that correlates with the ongoing fallout from the attack. When stock price reductions are sustained and consecutive quarters of losses are factored in, the true financial cost of an incident can easily run into the hundreds of millions of dollars – or billions in some cases.
Obviously, not every attack victim is a public company – attackers target other organisation types, too – but it’s fair to say there would be a proportionate impact on unlisted/private firms that experienced incidents, assuming they similarly disclosed the attack to customers or the public (although, in our experience, a sizeable proportion will try to avoid disclosure; the extent to which news of the attack filtered out would impact the quantum of the revenue impact).
Either way, attack victims know they’ll be up for costs: the only question is how much.
Cyber insurance can be used to defray some of these costs, but it’s very much policy- and coverage-dependent. Our review of incidents that impacted listed companies shows one-third of companies had an insurance policy that covered most or all of the total cost. Other insured parties recovered a fraction of the total cost, ranging from one-fifth to as little as one-tenth. Out-of-pocket costs, including detrimental impact on future earnings and revenue, are generally unclaimable.
Real people lose real money after a breach
One of the data breaches featured in the study impacted over 1 million people – which, for comparative purposes, would place it in the second-highest impact category under Office of the Australian Information Commissioner reporting. Attackers were able to gain initial access, escalate their attack, and steal sensitive data – all while remaining undetected.
When disclosed to the market, shareholder reaction was swift: the organisation’s share price fell 21 per cent in a day and was down 35 per cent after a week. The price remained down 22 per cent for over two and a half months.
The attack itself was financially draining in other ways, too. Total costs exceeded US$1 billion – equivalent to US$1,000 per victim. Only one-third of that went to reimbursing customers’ costs, such as identity document replacement or providing third-party identity theft monitoring. More than US$300 million went to various states and regulators, and US$80 million was spent on legal fees. Cyber insurance covered about one-tenth of the cost.
What’s more, in seven of the next eight quarters, net income was down by either a double-digit percentage from the same quarter a year earlier or the company turned a net profit from a year earlier into a net loss.
This is far from an isolated experience; organisations that get breached experience cost impacts that outlast the post-incident response and remediation activity, often by a year or more.
One of the major impacts of cost underestimation is that it leads to cyber security budgets and decision making that are broadly out of step with the magnitude of a potential attack.
Securing an organisation can be a significant investment, but strong security tools are arguably much more cost-effective than the cost of a massive data breach. If the actual size and scale of financial impact experienced by victims are better understood, some of the current constraints and pushback on cyber security budgets, or approving business cases to invest more into cyber security, would likely fall by the wayside.
By having a clearer and more accurate picture of the lingering, end-to-end financial impact of a data breach, organisations have a better evidentiary base to support bullet-proof business cases for investment in security controls that can help prevent and detect breaches before they become business problems.
The power of network detection and response
For organisations looking at investing today to mitigate the risk of a cyber incident “tomorrow”, the biggest bang for the buck – and indeed the technology that provides the broadest mitigation impact, given what we know about commonly observed vectors and attack patterns – is a strong network detection and response (NDR) solution to augment existing layers of security tools.
A cyber security strategy that includes NDR alongside EDR, SIEM, and other security tools can provide more visibility across an organisation and increase the chances of avoiding expensive data breaches.
For attacks designed to circumvent endpoint defences, tuning into the network can help security teams pick up on post-compromise activities like privilege escalation, network scanning and discovery, lateral movement, and command and control communication that signals an attack in progress. Detecting post-compromise activities via the network gives security teams an opportunity to stop attacks before they turn into costly data breaches.
A strong NDR solution should leverage the power of the network and the packets they contain to automatically discover and classify all assets – whether managed or unmanaged – connecting to and communicating with it; and also show what protocols and ports those assets use to communicate, and if any are suspicious or associated with known malicious IP addresses. Without the ability to leverage machine learning to baseline normal network behaviour and identify deviations from it; to perform continuous and on-demand packet capture to detect post-compromise activities; and to decrypt all east-west network traffic, organisations will continue to miss the telltale tactics and techniques that signal early-stage and mid-game attacks.
Organisations need to understand that a data breach is often far more costly than the point-in-time figures published by victim organisations within months of the incident – and that the financial impact may still be felt years later. Most companies can’t afford a US$9 million breach, let alone a US$1 billion one.
Organisations need to ensure that their cyber security budget is commensurate with the financial risk that an incident poses. A relatively small investment in technology now may limit severe financial repercussions later.
Daniel Chu is the vice president of sales engineering, APAC, at ExtraHop.