I recently attended a highly engaging Insurance Institute lecture given by Tom Keating – MD of FireEye, Inc – a Cyber Security Consultancy, where he provided all attendees with an overview of the shape and make up of present Cyber Attacks, their purpose and their impact on companies.
One of the key messages Tom impressed upon us was that “a healthy paranoia on cyber security is essential” in today’s environment and that if you think “it won’t happen to me”, it probably already has or will do at some point.
What I found most interesting was that the median number of days before a company detects an online breach is a quite shocking 146 days. Statistically it takes a company 32 days to respond to said breach, meaning that the attackers have had the guts of six months to wreak havoc on a companies databases and websites through confidential information leaks, theft of assets and in some cases destruction of their entire IT infrastructure. The average cost of said breach according to Tom was a healthy $3.5M.
Now I ask you, what companies out there can afford to have that happen? Nevermind the inconvenience and nuisance factors, this could also compromise your reputation amongst your customers, especially if the attack involves a data breach of any kind. Sure the short term impact could mean the loss of customers data, but the longer term impact on your company’s brand and reputation could be fatal. Tom estimates that more than half of all Irish companies have suffered a data breach within the past year and if the stats regarding detection are to be believed, that means there is a lot of potential damage already done.
The more prudent amongst us will have some form of an Incident Response plan to deal with an event like this. Sadly most don’t and won’t until it’s too late. In terms of quantifying the financial impact of a cyber attack, it’s not always possible to measure this in advance but we do have some fairly recent high profile breaches to measure this against. eg Sony’s breach in November 2014 is estimated to have cost $130M and they are still dealing with the fallout from a cleanup and recovery perspective.
Whilst acknowledging that there is “no silver bullet” solution to this problem, Tom did say that every company has a responsibility to educate its staff from top to bottom about the risks and threats posed by an attack. One potential safety net is to take out a Cyber Insurance policy which I know several insurers are actively offering to the market and a variety of brokers are adding to their array of products.
So in summation, I guess the key question is, can we individually or collectively afford not to have some covers in place? With Cyber attacks and online phishing an everyday occurrence, the reality is that breaches can and will happen. After that it’s semantics as to how much it’s going to hurt you and your business.