Paying hackers not to release the data they have stolen from you is not the best way to manage the financial repercussions of a cyber-attack. Nor is trying hide the attack from the authorities….
Even the most vigilant companies can’t escape the possibility of having to handle a cyber threat — and the cost of these events aren’t to be taken lightly. According to a 2023 IBM study, the global average cost of a data breach is estimated to be around 4.45 million USD. With modern cyberattacks rising in frequency and sophistication, these numbers are only forecasted to increase.
New tools and tactics are constantly developing to exploit vulnerabilities in increasingly complex systems. Amid this relentless evolution, business leaders need to keep their finger on the pulse and maintain awareness of the latest threats to minimise the potentially devastating financial consequences.
What’s the damage?
The financial repercussions of a cyberattack can be severe and multifaceted. The initial blow often manifests in short-term, direct costs, such as data recovery costs and cybersecurity service changes for external professionals. In some cases, attackers will extort ransomware payments, in which attackers encrypt data and demand a hefty ransom for its release.
Perhaps the most forgotten consequence of cyberattacks are the regulatory costs. Data breaches that expose sensitive customer or employee information can violate regulations like GDPR, leading to sizable fines imposed by government bodies, further straining financial resources.
But the financial impact doesn’t end there. Spanning beyond immediate recovery costs, business-wide disruptions bring standard operations to a screeching halt, leading to lost revenue. With decreased productivity, loss of sales, and an inability to fulfil existing orders and maintain customer relationships, companies can struggle to regain their footing in the market.
Having said this, brand reputation is also liable to take a massive hit with news of a data breach being enough to diminish customer trust on a large scale. According to a recent Forrester survey, 41% of IT leaders believed that lost brand equity and trust is the most expensive long-term outcome of a cyber-attack, reducing overall sales as a result.
The 2016 Uber breach
In 2016, Uber experience a major breach where hackers accessed a significant amount of sensitive data, including the personal information of 57 million Uber users and around 600,000 drivers’ license numbers. Uber’s then CEO, Travis Kalanick, and other top executives, including the CSO and CFO were informed of the breach. However, instead of reporting the incident to regulatory authorities and affected individuals, executives decided to cover it up.
The financial impact was significant. Under the direction of the CSO and with the CFO’s knowledge, Uber paid the hackers $100,000 in exchange for their silence and to ensure the stolen data was deleted. The hackers were also asked to sign non-disclosure agreements to keep the incident secret.
The mismanagement of the breach led to significant fines of $148 million, the largest-ever multistate data breach settlement at the time. Less easy to quantify, Uber’s reputation was also severely damaged by the mishandling of the situation and undoubtedly impacted customer trust.
Clearly paying off the hackers and hiding the breach was no way to manage this situation. Fortunately, there are better ways…
Stand strong with a robust cybersecurity posture
Attack prevention should always be the first step. By establishing a strong cybersecurity posture, businesses can reduce their attack surface and significantly narrow the window of opportunity for hackers. This involves creating a cybersecurity roadmap that clearly allocates the appropriate funding and resources across the business. Not only does this plan help navigate potential threats and vulnerabilities, but it also fosters a culture of shared responsibility, instilling a duty to protect company data and systems.
Thinking beyond fund allocation, CFOs should also consider how key stakeholders can have control over the cybersecurity posture. This could be anything from regular progress reports and security training participation metrics to incorporating cybersecurity performance into department-level goals. Homing in on stakeholder engagement can help ensure everybody understands their role in safeguarding the company.
Ditch the ‘always-on’ approach
While an ‘always-on’ approach may seem optimal for business operations, it can actually create system vulnerabilities. Cyber attackers can only exploit systems that are online, so any network or device left connected to the internet for prolonged periods faces a greater risk of intrusion. By physically isolating certain network components from the internet, businesses can drastically limit a cybercriminal’s ability to steal sensitive data or disrupt operations.
As previously mentioned, attack prevention has its limits. C-level executives must also consider solutions that minimise the impact of an attack if one occurs. Physical isolation takes loss prevention a step further by giving businesses the power to instantly disconnect a specific network or device from the internet — essentially acting as a ‘fire break’. This stops attackers in their tracks without bringing the entire business to a complete stop.
By curtailing breaches in an instant, businesses can significantly lessen the severity of attacks and reduce the overall costs as a result. Also, with the ability to quickly isolate threats, businesses can maintain customer trust and protect against long-term reputational damage.
Empower employees through training
Cybercriminals often take advantage of psychological vulnerabilities, like fear, confusion or power dynamics, to trick employees into compromising systems as happened at Arup when a deepfake video call was used to trick an employee into transferring £20m to cybercriminals. To foster a security-conscious work environment, business leaders should establish a framework that empowers employees to develop their knowledge and understanding of cyber incidents.
Training programmes can help encourage employees to report suspicious activity without fear of reprisal by addressing both the technical aspects of security and the psychological barriers to reporting. This initiative can be further supported by implementing and regularly updating incident response plans, ensuring staff are familiar with them, and conducting periodic cyber-attack drills to build practical skills.
At the C-suite level, it’s crucial that incident response training highlights ethical decision making and regulatory compliance. As we saw in the case of Uber’s 2016 attack, executives must prioritise ethical considerations and legal compliance over short-term reputational damage control. Ensuring a framework for timely disclosure to regulatory authorities and affected individuals is in place is key to avoiding the costly outcomes of data breaches.
Strengthen your cyber defences
As the threat landscape continues to diversify, C-suite executives must recognise that prevention is more cost-effective than recovery. Proactive investment in cybersecurity solutions stops attackers before they strike, making it much harder for attackers to access sensitive data..
It’s worth noting that Uber’s ex-CSO was prosecuted and convicted for his response to the cyber-attack. But by adopting the approaches outlined above, business leaders can minimise the potential for financial loss, reputational damage, and customer lawsuits — ultimately gaining peace of mind by enhancing overall stability and resilience.
By Angela-Marie Graham, CFO at Goldilock