There’s no doubt that ransomware and other cyberattacks can inflict great damage to a company. But how much? How much money and how much opportunity is gone for you and your customers by not maintaining a cybersecure environment?
One narrative, now well-established, notes that a cyber-attack can not only impact the productivity of an organisation but lead to the loss of a production line for a period of time and in doing so cause crippling revenue losses. Something as small as a general email ‘phishing’ attack, where employees are sent an email containing a malicious link, can have a devastating impact.
Cybercriminals can infect a manufacturer’s network with malware or ransomware, rendering its IT systems unusable, impacting its reputation and leaving it with a sizable bill.
The problem was a primary topic of conversation at a recent CompTIA UK Business Technology Community meeting in Manchester. Ian Thornton-Trump, CISO at Cyjax, touched on a problem that many within the cyber security industry have been struggling with for a number of years—how to communicate opportunity cost of not staying cyber secure to clients or the board.
According to Thornton-Trump, views widely held on the issue still often come down to “this is something that won’t happen to me,” “the cost of protection is so high it will outweigh any potential losses,” or “the effects will be minimal”.
Trump also made the point that IT failure and unexpected downtime, even if only for a few minutes, can incur enormous cost –one that although sometimes obvious, is often hidden.
Sometimes a failure can even effectively shut down your business.
Beyond the direct loss in revenue and sales, which can be crippling, downtime creates inefficiencies, which has a ripple effect across multiple areas of your business.
So how do you convince your clients or your board to take this threat seriously and build the appropriate resilience? The answer he focused on was to show them how much the business could lose.
Here is a simple formula:
Last year annual revenue £3,470,000
Desired growth percentage 18%
Revenue Target £4,096,600 (118%)
Divided by 52 for per-week revenue £78,700
Add annual payroll costs £2,430,000
(usually 20% of last year’s revenue)
Divide by 52 per week payroll £46,700
Total cost of 1 week of network downtime £125,400
Although a simplified formula may help to convince some clients, it’s also worth being aware of other, more intangible costs of any breach. For example, Retail Perceptions reported that 12% of customers shopped less frequently at a retailer after it experienced a security breach.
Referring back to the previous example, this could further increase the potential cost.
£4,096,600 x 12% = £49,200/52 = £9,450 per week
£125,400 + £9450 = £134,850 (Total Cost of 1 week of network downtime)
The truth is that the cost of a data breach depends on a multitude of factors. There are some you can influence, such as the losses felt by your customers or lost revenue and some that you can’t, like fines, forensics, and investigations. It’s of course hugely difficult to precisely estimate how much a data breach could cost your company because every breach is unique. The above formula can act as a good starting point.
The key thing to remember when communicating the potential effects to clients is not just the initial impact but also the ripple effects that follow. It’s not always easy to convince the board to allocate appropriate resources to something they don’t necessarily fully understand. However, building your case with a credible rationale that focuses on financial data from your own business certainly gives you a head start.