The global WanaCry ransomware attack has shown how susceptible major, vital service organisations can be to cyber threats. Business leaders and IT teams around the world have been alarmed by how quickly the malware spread, and how debilitating the effects have been. While the worst of the attack has been remediated, the total cost is still being tallied.
Quantifying the cost of a cyber attack is never straight forward, as our recent 2017 Cyber Defence Monitor report highlighted. When asked how much a cyber attack would cost their business, Australian C-suite executives and IT Decision Makers (ITDMs) estimates differed by $13 million. C-suite executives projected a successful breach could cost over $36 million, while ITDMs put the cost at around $23 million.
Both are, however, staggering numbers.
Differences in the perception of cost influence the amount businesses spend on cyber defence. If estimated costs are well below the actual costs, this means when a cyber attack does occur, the C-suite and ITDMs are at risk of experiencing ”bill shock”.
The hidden costs of miscommunication
Miscommunication is a key reason why so many businesses are unprepared for a cyber attack. For example, our report showed that over half (57 per cent) of C-suite executives believe the IT team is responsible for breaches. The lack of alignment around who is considered to be the ‘front line’ makes the cyber budget question very challenging, and could potentially have a dramatic impact on the strategic allocation of resources where they are most needed; protecting the organisations’ most important assets.
In the rapidly changing cyber security landscape, no two breaches are the same, so it’s difficult to predict what the impact may be when your business becomes a target. This difficulty is compounded by each stakeholder approaching the problem from a different perspective, with a different opinion of what is most valuable to the company.
There are, of course, direct costs involved that are easy to identify in the event of an attack; including share price, incident response and repair, and business continuity opportunity costs. Then there are the harder to quantify costs, such as reputation and trust amongst stakeholders including industry and government, customers and employees, as well as potential legal ramifications.
Avoiding bill shock – collaboration and communication
Every business leader and division has its own priorities when it comes to resource allocation. A first step to aligning business units is to promote information sharing between departments. Increased collaboration across C-suite and IT, risk and compliance teams is key to building an understanding of what the threats are and how they can be managed. With every part of the business owning critical information, breaking down silos internally will help better evaluate risk and the potential damage.
Once you have a connected business structure, with different groups willing and able to communicate with each other, the next step is to leverage data analytics to more effectively synthesise this pool of data into actionable outcomes. Predictive analytics will build on this as data is continuously fed into the system, patterns will quickly become evident which will better equip teams to manage against threats before they occur.
Information sharing is at its most effective when it not only reaches across organisations, but across industries too. Sharing threat information, as well as learnings from past attacks, with the wider community is the best way to get smarter and fine tune cyber strategies. It will ultimately create a network of informed businesses and business leaders, capable of coordinating their responses to increasingly sophisticated attacks.
With a clearer understanding of the threats, and the potential cost to their organisation of a successfully attack, business leaders will have a better idea of where they need to invest, and are better equipped to have these conversations with the board.