It’s been rough sailing for organisations in the past year or so. In addition to the ongoing challenges of COVID-19, there are the effects of Brexit, increasing public awareness of privacy rights and regulatory pressure to improve data protection practices.
And, of course, there is the threat of cyber attacks. According to a UK government survey, 39% of UK businesses came under attack in the first quarter of 2021, with many incidents causing significant damage.
The specific costs will depend on the sophistication of the attack and how well executed it was.
For example, a DDoS (distributed denial-of-service) attack could knock systems offline for a few hours, creating a frustrated workforce and unhappy customers – but otherwise the cost would be comparatively low.
By contrast, an attacker who infects an organisation’s systems with ransomware could cripple them for days or even weeks. The cost of recovery, not to mention the ransom payment (if the organisation pays up) could result in losses of several million pounds.
For an estimate of how much cyber security incidents cost, a Ponemon Institute study found that organisations spend $3.86 million (about £2.9 million) per incident.
However, it notes that organisations can cut this cost dramatically by addressing four key factors:
- Incident detection
By implementing measures such as audit logs and forensics analysis, you will be able to spot breaches sooner and identify the full extent of the damage. The faster you do this, the less damage the attacker can cause.
- Lost business
This relates to both the direct damage caused by the breach – such as system downtime preventing you from completing processes – as well as long-term damage, such as customer churn and reputational loss.
Organisations that are better equipped to continue operating while under attack will be able to reduce lost business.
This relates to the costs involved in disclosing incidents. For example, organisations may be required to contact affected data subjects, report the breach to their data protection authority and consult with outside experts.
- Ex-post response
These are the costs associated with recompensing affected data subjects, as well as the legal ramifications of the incident. It includes credit monitoring services for victims, legal expenses, product discounts and regulatory fines.
Recognise, respond, recover
Navigating the cyber threat landscape has never been harder, but you will make life a lot easier by planning for disaster before it occurs.
The Cyber Security Breaches Survey 2021 found that directors and senior staff are placing a greater emphasis on data protection, but that doesn’t just mean preventing breaches. It also requires organisations to create processes to recognise, respond to and recover from incidents.
If the path to safety has been mapped out in advance, you can remain calm in the face of disaster and follow processes and policies that you have worked on and can trust.
If you’re looking for help creating that documentation, IT Governance can help steer you in the right direction. We offer a range of data protection and cyber security training, tools, software and consultancy services – all of which can be delivered remotely.
You may be particularly interested in our Business Continuity Pandemic Response Service, which is tailored to help you address cyber attacks and other disruptions while operating with a dispersed workforce.
Whether your workforce is cautious about returning to the office as lockdown ends or you’re offering staff the opportunity to work remotely on a permanent basis, we have you covered.
A version of this blog was originally published on 9 March 2018.