Ponemon’s “2013 Cost of Cyber Crime Study” determined the average cost of cyber crime for companies in 2013 was $7.2 million, an increase of 30 percent from 2012. The report also found that companies that deployed security solutions cut their cyber crime costs by an average of $2 million. That statistic shows that cyber security ROIis 21 percent more than ROI for other technology investments. Despite these persuasive figures, companies aren’t spending on cyber security or incident response the way they should be, and alarge reason behind this gap is that only 20 percent of IT security professionals communicate with company executives about potential threats.
From an executive’s perspective, it’s hard to invest money in a disaster that may not happen. To get the C-suite to prioritize cyber security solutions for business, IT needs to redirect the conversation from risk mitigation to cost savings. Gary White, a managing consultant for HP, suggests framing the issue to executives in the form of a question: What could the company do with another $7.2 million?
The High Cost of Cyber Security Lapses
Although IT can’t predict beyond a doubt that a security breach will happen, when a breach does happen, the cleanup costs become astronomical. Ponemon’s report shows security breaches are becoming both more common and more expensive:
- Cyber attacks are becoming more frequent. The organizations that Ponemon surveyed reported an average of 1.4 successful attacks per company per week, which is a 20-percent increase over the frequency of attacks in 2012.
- Cyber attacks take an average of 27 days to resolve. Organizations pay an average of $66,207 per day before attacks are resolved, so for the average 27-day response time, organizations will pay $509,665. This figure represents a 39-percent increase in the average post-attack remediation cost.
- Small businesses shoulder a higher cost for cyber attacks. Although larger organizations pay a higher total cost for cyber attacks, small businesses pay a higher cost per capita. A small company pays an average of $1,388 per employee while a large company pays $431 per employee.
- Cleaning up after an attack is the biggest cost item. Business disruption and information loss related to cyber security can account for as much as 73 percent of a company’s external costs related to litigation, regulatory fines and lost marketability of stolen intellectual property.
Certain Industries Are Targeted More Often Than Others
Companies working in the defense, health care, pharmaceutical and financial services industries are the most frequently targeted companies for cyber attacks. Denial-of-service attacks, Web-based attacks and malicious insider attacks are the most expensive to resolve. In fact, companies take an average of 53 days to discover and resolve a malicious insider attack, which means an average cost of $3.5 million per insider incident.
In addition to money lost to cyber attacks, C-suite execs may also lose valuable time. A big, reputation-damaging data breach, like the one suffered by Target over the 2013 holiday season, creates a lot of extra work for CEOs, CIOs, CTOs and PR executives. It also created negative publicity and puts more strain on call centers and customer service channels. If time should optimally be spent on revenue-generating activities, then the massive time wastage resulting from a cyber attack represents not only actual cash losses, but also significant opportunity costs.
From Disinterested Executives to Cyber Security Champions
When IT workers ask C-suite executives the $7.2 million question, they should let execs know what cyber security losses mean in concrete terms. For instance, a hospital could provide 600 more hip replacements with $7.2 million. The Department of Defense could procure 44 new Humvees, a local government could hire 100 more police officers and a school could support 300 more student enrollments with $7.2 million.
When a network security breach inevitably happens, executives can look like heroes for cutting the company’s incident response time and saving on incident recovery costs. Instead of warning company management about a nebulous potential computer-related threat, IT should give the good news about cyber security solutions to the C-suite in the terms they understand best: dollar signs. After all, what executive doesn’t what to tell shareholders that he or she saved the company $7.2 million?
Meeting image by stockimages from FreeDigitalPhotos.net
Presentation image by STEEX from iStockPhoto
