Hackers broke into the computer system of Norsk Hydro, a global aluminium producer, in 2019. Once they gained a foothold in the company's environment, the criminals spent weeks exploring the IT systems looking for more vulnerabilities. When they finally launched the ransomware attack, there were 22,000 computers hit in 40 different countries. The entire workforce, a total of 35,000 people, had to resort to pen and paper. Production lines shaping molten metal were switched to manual functions. Retired workers have returned to help colleagues run things the "old-fashioned" way.
The cyber attack cost Norsk Hydro a bill of $75 million.
Data breaches are becoming increasingly expensive
The financial impact of suffering a data breach remains high for businesses of all shapes and sizes. The cost of a data breach, on average, in the year 2020 was $3.86 million, according to a report by IBM and the Ponemon Institute.
The survey shows a 10% increase in costs over the last five years.
These are direct costs, such as regulatory fines and time and effort to deal with the attack, and indirect costs, such as lost business opportunities and customer churn due to brand reputation damage.
Moreover, it is important to consider that in cases of attacks the slowness to detect and contain a breach makes the final bill more expensive. Companies that contained a breach in less than 200 days spent on average $1.1 million less than those that took longer. In other words, quick responses save money. But it's the minority. The IBM report says it took companies, on average, a total of 280 days to identify and contain a breach.
Here, time is money for a simple reason: the more time an attacker has inside an environment, the more access they will gain to different devices, data, accounts and sensitive information.
German, Canadian and South African organisations are the fastest in finding and containing violations: 160, 226 and 228 days respectively. Middle Eastern (380) and Brazilian (369) companies take longer. Among the sectors that took the longest are healthcare, public sector, and entertainment: all averaging more than 310 days.
When they finally detect the problem, companies often believe that the costs of the incident will be one-time and momentary. And that once they have fixed the visible damage, they will move on and get back to business as usual. Not so.
The damage extends long after an attack. For years even. About 61% of the damage is felt in the first year, 24% in the next 12 to 24 months, and the final 15% appears more than two years later.
Another factor to consider when calculating the cost of a breach is that remote working makes incidents more expensive. According to IBM, having a remote workforce increases the average total value because organisations now face a lot of decentralisation. And there are new network structures reaching into private, insecure or unknown networks. Changing the endpoint environment complicates incident response.
How much did unprepared organisations pay in 2020?
The costs of a data breach are decreasing for prepared companies that have decided to adopt effective cybersecurity practices. Organisations that have not yet taken any precautions, on the other hand, will face significantly higher costs.
Unprepared companies paid an average of $8.19 million per breach, which is 5.3% more compared to 2019. The most expensive information lost in attacks was customer PII records, involved in around 80% of breaches.
In fact, almost 40% of the average total cost of a data breach stems from lost business. That includes lost revenue due to system downtime and increased cost of acquiring new business due to reputational damage. This increased from $1.42 million in the 2019 study to $1.52 million in the 2020 study.
How to reduce the cost of a breach?
The key piece of advice for keeping the cost of a breach low is proper visibility of your environment and ensuring robust and tested offline backups. The trend is for modern, digital companies to look for solutions that can identify if any digital assets of the protected brand are mentioned, and quickly alert and act against the risk. This will enable them to dismantle cybercriminals' planned actions on the dark web before they happen.
So the key to solving challenges in data security are technologies that monitor the depths of the internet, from the Surface to the deep and dark web, providing 360° visibility. That means brand protection, information leak detection and executive security.
Expansive use of encryption, automating security wherever possible, tested business continuity plans and a SOC can also reduce the potential cost of a breach.