Prevention Versus Recovery: Calculating the True Cost of Cyber-Attacks

The True Cost of Cyber-Attacks: Key Areas to Consider

When calculating the cost of cyber-attacks, there are typically four areas that are measured: cost to fix, revenue loss, productivity loss and reputational damage. We’ll run through these one at a time.

• Cost to Fix. When your organisation suffers downtime, the cost to fix is totally dependent on the provisions that you have in place to support recovery. If you have outdated business continuity provisions that are unable to adequately deal with a cyber-attack, you may need to fly in specialist firms and individuals to do their best to recover your data. This will, of course, come at a premium. If, on the other hand, you have appropriate provisions in place that have been tested and are known to support the rapid recovery of systems and data, your cost to fix will be significantly lower.
• Revenue Loss. How important is system uptime to your organisation’s revenues? For some more ‘traditional’ businesses, an IT outage may not be too damaging. But for many modern businesses, especially those that carry out sales and marketing online, downtime can result in significant losses in revenue. Consider the systems that your business relies on to bring in revenue, and calculate how much revenue the systems account for. As an example, transactions on your website may account for £12,000 of revenue a day. If your website is unavailable for three hours, this will mean around £1,500 of lost revenue – more if the website is down during peak hours.
• Productivity Loss. Of all the factors that need to be considered with the cost of downtime, productivity loss is perhaps the most significant. Having employees unable to work is financially damaging to any business, and the longer they remain unproductive, the costlier it becomes.
• Reputational Damage. The reputational damage of a cyber-attack may feel less tangible than financial and operational damage, but it is important to consider. Organisations that trade on their reputation are likely to lose considerable consumer trust if they suffer downtime or a data breach. Consider your own purchasing habits – would you purchase from an online store you knew had leaked customers’ credit card information in the past?

These key areas are essential considerations when calculating the true cost of cyber-attacks. However, if they still feel a little intangible, we’ll take you through a costed example in the following section.

Prevention Versus Recovery: A Costed Example

Consider an outage at a 50-person office that lasts one business day. If the average annual salary in the office is £30,000, one day of downtime will cost the business over £11,400, factoring in a drop in efficiency of 50% for two days.

With ransomware attacks, you should consider the impact both of downtime and of the need to roll-back for an extended period. Recovery from a ransomware infection requires either identification of the time of infection or, more commonly, the recovery and testing of multiple restore points until a clean environment is confirmed.

Let’s say that a ransomware infection impacts a finance system, affecting a team of five users. For our example, the average salary of each staff member is £35,000 per year. It would not be uncommon for the recovery window of such an infection to cause three days of downtime, during which systems are rebuilt and tested, until at last a clean recovery point is found from a week ago.

For the next two weeks, the finance department not only has to recover from three days of outage, but they have also lost the previous week’s work. The efficiency of the team is impacted: not only does the department need to continue to process the normal day-to-day transactions, but they must also spend a considerable amount of time identifying and reproducing the work lost over the next two weeks. The total cost to the business is £6,700 for three days of outage only affecting five members of staff!

Put in these terms, the preventative costs of investing in cyber security suddenly don’t seem so extensive when compared to the cost to recover.

Prevention is Better Than Cure

One small business in the UK is successfully hacked every 19 seconds, according to Hiscox. Around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful. That equates to around 1.6 million of the 5.7 million SMBs in the UK per year. These statistics should influence your thinking when it comes to cyber security prevention versus recovery.

Ultimately, cyber security is a journey, not a destination. Any investment you make should be agile and flexible enough to meet both current and future demands. Six Degrees offers the capabilities and expertise you need to ensure business continuity in 2021 and beyond.

Ready to learn more about how we can keep your organisation secure? We recommend starting with our Aegis Cyber Security Maturity Assessment. Six Degrees conducts a comprehensive cyber security maturity and benchmarking assessment, delivered and managed in a consultant-led approach that provides you with point-in-time or ongoing visibility into your organisation’s security posture.

The Six Degrees Aegis platform will compile a detailed evaluation of your organisation’s cyber security readiness and your ability to address weaknesses, highlighting potential security gaps and making recommendations to reduce vulnerabilities. It draws on recognised standards and approaches including ISO/IEC 27001:2013, Cyber Essentials and NIST 800-53 to deliver a set of questions that cover a range of security domains.