A recent report by Deloitte has suggested that most of the impacts of a cyberattack are not considered by senior management and network professionals. The report refers to two types of impact, “Above the Surface” are direct costs that are well considered, but it also mentions, “Beneath the Surface” impacts, those that are less understood and as a result not considered when assessing risk.
The report mentions 14 impact factors in total, 7 above the surface and 7 below. Although one might disagree how cut and dry this 50:50 split really is, the report certainly raises important areas of consideration that budget holders must look into when deciding on cyber-protection spend. That said, while a rough cost has been attributed to each of these impacts in the report, the cost in real terms should be considered on a business to business basis. For example, one of the hidden costs, ‘value of lost contract revenue’ would be far larger for a business trading on long term contracts as opposed to a brand-focussed B2C business.
The ‘above the surface’ costs are as follows: Technical investigation, Customer breach notification, Post-breach customer protection, Regulatory compliance, Public relations, Attorney fees/litigation, and Cybersecurity improvements. The report’s principal author, Emily Mossburg, states “the effects of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs—many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information or other strategic assets.” These hidden costs of course vary from industry to industry and business to business, but each can be carefully considered fairly easily if you’re looking for a rough idea of risk.
The most eye-catching statistic raised, however, is the scale of these hidden costs. The report suggest that over 90% of costs in real terms could be made up of the hidden costs, largely in lost contract revenue, lost value of customer relationships, and devaluation of trade name. The impact to an engineering business or other areas with limited assets in key areas could be even more alarming, once loss of intellectual property is considered. The increase in state-sponsored cyber espionage could raise eyebrows for this loss of IP risk, with accusations all over the globe of governments stealing valuable IP data from commercial entities.
How much reports such as this will change how businesses protect their networks remain to be seen, however, the days of just deploying a firewall, some anti-virus and having a post incident plan in place are certainly over.