How much does a cyberattack cost companies?

Making an approximate calculation of a company’s economic impact after suffering the consequences of a cyberattack is not easy. There are many factors that vary depending on the country, type of attack, type of company, number of companies surveyed and the respective countries in which they operate, etc.

For this reason, the different media or studies dedicated to research on the subject, provide different results since each of them will use their own sources and respondents, which usually leads to variable data.

Even so, what all data reveals is that, due to the wide variety and sophistication of the growing online financial threats, the losses caused by online fraud, identity theft, and piracy, costs have increased to millions.

In addition, it should be noted that many of the cyberattacks are not reported to the relevant organizations because they are afraid of the possible negative repercussions, so the figure could be even higher.

As it is logical, the easiest way to get an idea of the global economic impact of cyberattacks, is to review the data of previous years. The study revealed by Accenture estimates that from 2013 to 2017 the average cost of cyberattacks has increased by 62%. In fact, in 2017, it has already increased by 27.4% compared to 2016, which means the average cost in 2017 is $11.7 million.

This is a very low figure compared to the forecast made by Cybersecurity Ventures, which estimates that in 2021 the worldwide cost will be $6 trillion per year.

A cyberattack costs more than a natural disaster

At least in the United States. Hurricane Katrina shook the country in 2005 as one of the worst and most costly natural disasters. The damages reached $108 billion. In the case of Hurricane Sandy, the losses did not exceed $70 billion. Very little compared to the estimation made by the British insurance company Lloyd’s and the cyber security analyst company Cyence, who predict that the threat of hacking in the United States could cost $121 billion. This means a difference of 13 billion dollars in comparison to the damage caused by Hurricane Katrina.

And according to the same study of Accenture, the United States is the country with the highest economic cost with an impact of $21.22 million, followed by Germany, Japan and the United Kingdom.

However, the country where the cost of cyberattacks has risen most is Germany, with 42.4% more than in 2016.

Rescues worth millions of dollars

Companies spent an average of $2 million on fighting malware and $2.4 million on web-based attacks last year.

To cite one of the most famous cases of malware in the world, it is worth mentioning ransomware, a virus that blocks systems and, in some cases, encrypts the data in exchange for an economic compensation as a rescue to restore normality. The global cyberattack of the Wannacry ransomware, which infected more than 300,000 computers in 150 countries, had an economic impact of more than $1 billion on affected enterprises according to McClathy, citing experts from computer security firm KnowBe4.

Banks hit with a ransom are hurt even more

The banking sector is the most affected by cyberthreats, since the average annual cost is set at $18.28 million.

And it is not surprising if we take a look to some of the cases which have occurred over the last few years. One of the examples is the Central Bank of Bangladesh, which in February 2016 was infected with malware, allowing fraudulent transfers. Fortunately, most of those transactions were blocked in time and cybercriminals could “only” steal $81 million out of the $951 million they could have gotten.

Small businesses also suffer the consequences

Accenture points out the larger the company is and the larger the number of direct connections it has to the network or company systems, the more expensive are the costs.

However, the costs of each type of attack vary depending on the size of the companies. Small businesses experience a higher proportion of costs in relation to malware, web attacks and phishing or social engineering. Instead, larger companies are investing a greater economic effort to reverse the damage caused by the blockade of their services, internal attacks performed by their employees and the malicious code.

According to the “Financial Impact of IT Security on European Businesses” report by Kaspersky Lab, the financial impact of a single attack and data theft vector is estimated at approximately €77,372 for SMEs worldwide and at €770,252 for large companies. In this calculation, IT staff reassignment represents the highest additional cost for both SMEs and large enterprises with $14,138 and $125,938 respectively.

The frequency of the attack also influences the cost

The cost of cybercrime also depends on how often it is attacked. Therefore, the greatest economic damages are caused by crimes related to those provoked within the company (malicious insiders), blocking services, web attacks and social engineering.

Yes, social engineering again. It is one of the attacks that has become more frequent over the last few years due to the staff negligence and a lack of training. Even the identity of any CEO can be stolen and used to send an email to their employees and cause a disaster.

In fact, in early 2016, thieves, posing as senior managers, ordered a multi million dollar transfer to a company accountant. It’s the so-called ‘CEO fraud‘. A few days later, an Austrian aircraft systems builder claimed to have lost 50 million with the same deception.

Globally hundreds of companies, large and small, have been scammed. In the United States, the FBI typifies it as a ‘Business Email Compromise’. From October 2013 to August 2015, more than 7,000 cases were reported, with losses of $750 billion.

The most expensive consequence: the theft of information

Theft of information has remained, since 2015, as the first reason for cyber attacks. In addition, over the last 3 years, the cost of recovery has continued to increase, and has become the most expensive component with a 43% in comparison to other consequences such as business disruption, loss of profits and equipment damage.

It is not easy to recover from the impact to a cyberattack as you may also have to deal with these other consequences:

Loss of income due to business interruption (such as denial of service attacks that disable portals).
Theft of data (industrial secrecy, personal data, etc.).
Extortion expenses.
Damage or loss of data in computer systems.
Expenses in notification of affected, crisis management, systems recovery and information.
Cost of civil and legal liability with penalties and claims (by entities such as Data Protection Agency or other public entities).
Reputational cost of image and reputation in RRSS (especially in financial services, banking, health, law or other services in which personal information is treated).

What conclusions can be drawn?

It is a fact all companies, regardless of size, are susceptible to a cyberattack. And although it is not possible to calculate an exact number for economic losses due to cyber attacks in recent years, it can be said that monetary damages have been increasing and the trend that grew the most in 2017 was Ransomware, in which a cybercriminal asks an organization for money to unlock all the information.

We all know one hundred percent security is difficult to achieve, both in real life and on the Internet.

That is why prevention is better than cure. Investment in cybersecurity is always and will be a good option. Count on Open Data Security and we will advise you on how to maximize the security of your systems.

The complete infographic may be viewed by clicking on the image: