Chapter 4
What Is the True Cost of a Cyber Attack?
Cyber attacks have become common occurrences. The companies in our study experienced 343 successful attacks per week and 1.4 successful attacks per company per week. We found that the average annualized cost of cyber crime for 234 organizations in our study is $7.2 million per year, with a range of $375,387 to $58 million. This represents an increase in cost of 30 percent from the consolidated global results of last year's cyber cost study.
—Dr. Larry Ponemon of the Ponemon Institute
Here's a frightening thought. It's an observation, actually, one from the U.S. Office of the National Counterintelligence Executive. The U.S. workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy and data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever. The office further observes that political or social activists may use the tools of economic espionage against U.S. companies, agencies, or other entities, with disgruntled insiders leaking information about corporate trade secrets or critical U.S. technology to “hacktivist” groups like WikiLeaks.
It is an observation that's hard to argue with.
There is greater access to data, that's for sure. Not only is there more data today than ever before, but companies are keeping more of it (Big Data) and there are more places where data resides: more mobile devices, web sites, social media forums, and so on. And more people work remotely, from home, from hotels, even while on vacation. More people, using more data, on more devices, in more places, more of the time—and more people trying to steal the information. This is happening now, and the trend will continue. The scenario is decidedly not encouraging. Surely the convergence of these trends is going to result in greater breach-related costs. And there's an additional reason, too. Enhancing information security as part of an overall operational risk management isn't where it needs to be. This is unfortunate, but it's true.
All of this adds up to more data breaches, and that means more companies and governments spending more budget either on preventing or reducing breach impact, or paying the price after a breach occurs. It is usually the latter. While it is almost always less costly to prevent an information breach, organizations have not proven to be effective defenders of information integrity.
Try to avoid a data breach! That's the best advice. Preventing such a loss of information and brand integrity is always preferable, on many levels, to being the victim of a breach. It's also a lot less costly to prevent a breach. Sadly, it seems that some breaches are not preventable. This may sound fatalistic, but it's true. How could it be otherwise? Breaking and entering is not preventable. Homicide and other violent crimes are not preventable. It is possible to reduce these crimes, but crime cannot be eliminated. Crimes associated with cyber attacks are no different. It is critical to prepare for a breach, and how to respond to one, before it hits. Because when it hits, the meter starts running, and sometimes it doesn't stop for a long time.
Cyber attack frequency is rising, and they're increasingly effective (that is, damaging and costly). Examining the trends contributing to the frequency and effectiveness of the attacks, we see a “similarity between the tools, tactics, and techniques used by various actors, which reduces the reliability of using these factors to identify those responsible for computer network intrusions,” according to the U.S. Office of the National Counterintelligence Executive. “Hacker websites are prevalent across the Internet, and tool sharing is common, causing intrusions by unrelated actors to exhibit similar technical characteristics.”1 This is a major contributor to the increase in costs globally. It is harder to differentiate, detect, and identify specific attackers because of these blending attacker signatures.
Another contributing factor in accurate detection is that many hackers route operations through computers in third countries or physically operate from third countries to obscure the origin of their activity. This process of redirecting attacks through third countries adds a veil of obfuscation in identifying the hackers' origin. Additional time is required to make the identification, and at additional cost in terms of identification, remediation, and recovery. It may also give the hackers more time to steal additional information, which can result in greater costs, financial and otherwise. To further complicate identification of the attackers, the foreign intelligence services of other countries may also be integrated into the attack scenario. Such attacks, which happen swiftly and are subject to rapid change, make it even harder to identify the attacker. At a macro level, it also complicates law enforcement investigation and delays action against the attacker. Again, there is a cost associated with this, and taxpayers foot the bill.
There's no sense in playing games. A cyber breach is going to be costly—in a lot of ways. There's the actual cost of the attack, which may involve the theft of money, extortion, and so on. And then there is the long chain of associated costs that are the unavoidable consequence of such an event. Consider the cyber attacks against companies like Target at the end of 2013. As with many similar breaches, the effects of these attacks are often not readily apparent, and the damage does not end immediately. Sometimes the attacks persist. But the aftermath of these attacks often has a long tail. The impact can be substantial and enduring. Some observers believe that the Target breach will ultimately bear a price tag of $1 billion, perhaps more. This isn't an unreasonable prediction. Take the TJX data breach. It happened in 2007 and is still talked about. Not only does the talk about data breaches linger, but the costs can continue to add up. Many of the data breaches seen in the pages of the media today will suffer long lives and involve a lot of costs.
Cost can be measured in many ways. There's the actual loss associated with a breach: money stolen, for example. There's the cost of managing and remediating the breach and its aftermath. Then consider the cost of lost revenue associated with customer drift. There's the loss of value of the company stock, the loss or hesitancy of business alliance partners and distribution partners. All of these losses and costs add up to loss and uncertainty about the future. Often it is difficult to calculate the cost in the short term because the impact of a cyber breach can be lingering, often for years.
What does it really cost when a company sustains a cyber attack? A lot of statistics have been published about the cost of cyber attacks. But there are many ways to answer the question. As is so often the case, what sounds like a straightforward question should have a straightforward answer. Unfortunately, that is not the case. Rational metrics exist for trying to better understand the costs of an attack, but these are only guidelines. In reality, the answer can be complicated, with many elements pertinent to the calculus absent during the analysis.
One thing, though, is clear. As the Ponemon study noted, cyber crime is growing—and it is costly. Ponemon found that U.S. companies are much more likely to experience the most expensive types of cyber attacks: malicious code, denial of service, and Web-based incidents. Similarly, Australia is most likely to experience denial-of-service attacks. In contrast, German companies are least likely to experience malicious code and botnets, according to Ponemon. Japanese companies are least likely to experience stolen devices and malicious code attacks.
Both short-term and long-term considerations have to be included in the assessment of cost. Sometimes it takes years to calculate the cost of a breach. Why? Because cyber attacks, like many other crimes, occur episodically, and over extended periods. Discovery timeframes vary. Some attacks are hit-and-run attacks: The damage occurs, it is immediately identified, and the incident investigation begins immediately.
It is never a good idea to wait for the middle of a breach to formulate an incident response plan. But this does happen, and often. It almost always costs more. Planning for a breach is prudent not only in order to defend a company's reputation and its obligations to its customer base, but from a cost perspective as well. Every stage of response has a cost associated with it, and planning each phase of the response results in a judicious and fiscally responsible risk management approach. Detection, investigation, incident response, containment, recovery, and other postbreach issues can be expensive.
Cyber Attack Detection Sometimes Takes Years
Denial-of-service attacks are often protracted and may occur at various times, often to create the greatest level of disruption and inconvenience. Other, more covert, attacks take place over years: The victim fails to realize that attacks are occurring. These cyber attacks can be subtle, hard to detect, based upon the ability of the attacked company to detect them. Some well-defended organizations can recognize attack signals early on. Others don't have a clue, often for very long periods, even years. This highlights the importance of creating and managing an environment that is technically sophisticated and current. Companies with antiquated information technology systems and those that fail to adequately monitor for attack signals are the most vulnerable. Make no mistake about it, the longer it takes to detect the breach, the greater the potential for damage, and the greater the potential for damage, the greater the cost, on many fronts.
Also, some companies may monitor extensively, but then fail to analyze and correlate data that would indicate that the company is under attack, either from inside the organization or from the outside. This can be an inflammatory situation. Technology was used to capture the data but no one really looked at it carefully. Depending on the specific predicament, this can be a violation of various regulations, especially for regulated markets such as health care and financial services.
There are companies that have been successfully penetrated because the enterprise operating system was aged, no longer supported optimally by the developer. It no longer receives the appropriate software patches and upgrades. Sometimes this vulnerability arises due to lack of awareness and understanding by the board of directors and even by executive management. Management and the directors often have a faulty view of technology. Their perspectives have a long history. Since the dawn of the information technology age, information technology has best been interpreted as the use of tools to increase productivity. That's why there's an information technology industry. However, things have gotten more complicated. Information technology is also a vulnerability, which makes it a risk. It seems like a simple thing to comprehend, yet many do not.
But think about it this way: If a management team or board envisions information technology exclusively as a tool of productivity, and employees are adequately productive, it may be interpreted that there is no need to upgrade the information technology system. That translates into a condition of inadequate defensive protections based on the fact that the older technology is no longer supported. That older technology may be perfectly adequate for the employees to do the more visible part of their jobs, but it may be grossly inadequate from an information integrity and defense perspective. This was a board of directors' decision. They felt it unnecessary to invest in an enterprise-wide upgrade. The company was breached over a period of years and no one knew it, until it was too late, the damage done. The cost of the breach, as measured over the breach investigation period, was considerable. But the actual long-term cost is harder to assess. Here's why, and this is a common condition. Such conditions have contributed to serious breaches. First, the cyber attacks were not identifiable. Second, the malicious software was not prevented from extracting restricted information from the company.
Often, from the board's postbreach view, there's the recognition that the money should have been invested.
One of the First Questions: “How Much Will This Cost?”
The history of breach investigations is rich with a lot of questions—and fewer answers—about the true cost impact of the event. When a breach is discovered, often the first words out of the mouth of the executive charged with the responsibility of managing the breach are, “How much is this going to cost?” Most often, the answer is this: “That's a good question. There's a great deal of uncertainly. The facts are unknown. We'll know more soon, but we may not know the full extent of the damage for some time, and maybe a very long time.” The attacked then asks, “Can you define ‘some time’?” To which the answer can be, “It may be weeks, it may be years, before we know the whole story. Or some answers may be unobtainable.”
The short answer is this: it's hard to say, and it depends on when you stop counting, because some breaches have a long tail.
Many variables exist that can influence what is known, when it is known, whether that factor will influence the cost, and when that cost will be incurred. The victim's response is understandable. Regardless of the crisis at hand, most anyone wants to know what is happening, how it happened, and whether it is still happening. Sometimes it isn't easy to determine if an attack is still under way. In other cases, especially if a company is being targeted in an ongoing cyber attack, such as a denial-of-service attack, the costs continue to mount.
That's one thing about the different types of cyber attacks. Some attacks occur once, some periodically, other continuously. Many breaches are comprised of multiple phases, each with a cost impact. The commonality that companies experience in these attacks is the unknown. No one likes it, everyone experiences it. Unknowns also interject questions about cost.
Then there is usually another question that follows, frequently in the first minutes or hours of the case: “Are we going to have report this?” The answer is typically something like this: “More than likely, you will have to report it to somebody at some time. It may be your corporate customer, the state, federal, and even foreign regulators, but, yes, you will have to report this to someone.” The answer, of course, is in the requirements of the statutes and regulations, as well as the contract language between the parties. In the case of a breach of unregulated data, there is still most likely the obligation to report the event to others with a vested interest: business partners, investors, bankers, shareholders, and others. Of course, all of this takes time and adds substantially to the cost of the breach.
A Few Common Cost Factors
Even for companies that are insured against the loss of information integrity, the cost can be considerable. One of the variables is how much insurance is carried and what exactly the policies cover. Then there are companies that have insurance but choose not to file a claim. Why? Because of concern over an increase in insurance rates.
Here are some common factors regarding cyber attack cost business impact:
- The attack isn't recognized in a timely manner, which often occurs. There is a great deal of variance in detection timelines. Inadequate detection technology is an issue, but so is the type of attack. An attack intended to shut down a web site will be noticed more quickly than a surreptitious attack designed to quietly steal valuable information.
- Attack indicators are not properly interpreted as a cyber attack and there's no sense of urgency or immediacy, leading to the loss of precious time.
- The first inclination may be to manage the attack internally, using only internal resources, which is often an inadequate approach, leading to the loss of precious investigative time and adding cost.
- Law enforcement may or may not become actively engaged. Law enforcement engagement can be a cost consideration, because an investigation paid for by law enforcement does not have a direct negative financial impact on the company. However, the principal purpose of a law enforcement investigation is to develop a case for prosecution, not to act as an advocate for the breached company. Law enforcement determines the extent and immediacy of its involvement based on several factors, among them the threat to national security, a direct financial loss exceeding a threshold amount, and other factors such as the involvement of transnational organized crime and human or sexual trafficking.
- There is a lack of awareness of the probability of attack. Many boards still consider cyber attack as a “technology thing” or a “security thing.” They don't consider it a “board thing.” This contributes to an environmental apathy throughout the enterprise, one that may result in deficiencies in a variety of defenses that can quickly and accurately identify cyber attacks.
- Decision paralysis is another factor. Many breaches are never reported, either to regulators or customers or even business partners, for one reason or another. Sometimes it is difficult for executives to report breaches. It can lead to significant cost and loss of brand value and reputation, and breaches can end up bringing a company into protracted, costly litigation. Thus some executives will wait to disclose, or not disclose at all. In either scenario, the failure to act aggressively to stop the attack and at the same time begin remediating the damage and potential future damage can be damaging. In the failure to disclose to the appropriate parties a cyber attack and resulting data breach, executives sometimes are just hoping for the best.
- In the case of some external service providers, while they may report the breach to clients, they might not be fully cooperative with the clients beyond the basic minimum requirements of reporting consistent and in accordance with state and federal or even foreign-country regulations. This leads to substantial additional effort—and risk—on the part of the principal company. That translates into additional cost.
What About Unreported Breaches?
Who wants to do business with a company that is constantly breached by hackers? Doing so could increase the risk to a customer, personal or corporate. But then how does anyone know if there's been a breach if it isn't reported? Many breaches are never reported. Some of those incidents should be reported because they are required to be under law. Still, many are not. Actual levels of compliance are believed by many regulators to be quite low. And what about the cyber attacks that result in the theft of intellectual property and trade secrets? Such attacks are not usually reported to regulators. So ascertaining reputation cost is very difficult under the best of circumstances.
The Office of the National Counterintelligence Executive states that:
- Many victims of economic espionage are unaware of the crime until years after loss of the information.
- Even when a company knows its sensitive information has been stolen by an insider or that its computer networks have been penetrated, it may choose not to report the event to the FBI or other law enforcement agencies. No legal requirement to report a loss of sensitive information or a remote computer intrusion exists, and announcing a security breach of this kind could tarnish a company's reputation and endanger its relationships with investors, bankers, suppliers, customers, and other stakeholders.
- A company also may not want to publicly accuse a corporate rival or foreign government of stealing its secrets from fear of offending potential customers or business partners.
- Finally, it is inherently difficult to assign an economic value to some types of information that are subject to theft. It would, for example, be nearly impossible to estimate the monetary value of talking points for a meeting between officials from a U.S. company and foreign counterparts.2
While companies may be required to report a breach of regulated data, such as health care information or other personal or financial data, very few companies actually track the fully dimensioned cost of a cyber attack over the long term. While the cyber theft of personal and health information captures the headlines, the theft of intellectual property and trade secrets can have severe long-term consequences, including reputation risk and cost. Under most circumstances, there is no obligation to report the loss of business information to law enforcement or other government agencies.
Economic espionage is growing and has a substantial cost impact on companies in the United States and elsewhere. Many companies don't discover these thefts until months or even years later.
Here's a rational scenario: Say a company pins its financial hopes and future on a critical technology. That specific technology will be the foundation for growth, revenue, profits, and the capability to perhaps acquire competitors, compete more effectively in the market, be able to afford more aggressive marketing and sales efforts, and build and sustain a market presence and even market dominance.
Let's say that the company has a partner in the development of that technology. Maybe that partner is a venture capital firm, a bank, or another company or companies committing resources to the successful completion and deployment of that technology. For argument's sake, say the total investment is $100 million. Assume that the $100 million investment is intended to generate, over 10 years, $1 billion. But the technology is compromised, stolen by a nation-state competitor, who is able to use the technology to leapfrog over the rest of the competitors, including the developers of the technology. What might be the consequence?
For one, there is the loss of projected revenue and market position, and everything that comes with being in the position of market dominance. A loss of market value could occur, based on market confidence, with devalued stock performance. If any of the technology loss was covered by insurance, insurance premiums would no doubt increase. The partners engaged in the development of the technology could sever relations with the company or, worse, sever and sue for the losses. It may prove difficult to repay any bank loans, just as it may prove difficult to find technology, financial, and market partners in the future. Then consider that the company's information systems were compromised and must be repaired and then be better protected in the future.
Will the board blame the chief executive officer? That has happened before, and it will happen again. After all, someone is going to have to take the blame. Senior executives and boards of directors are becoming savvy enough about cyber attacks to know that these attacks don't just happen, that there is usually someone to blame. The blame has historically been placed on the senior security officer, sometimes the chief information officer. But as executives and board members learn more about cyber attacks, they are coming to grips with the basic fact that successful cyber attacks usually happen because of lack of awareness by employees of the threat of risky behaviors, antiquated technology, ineffective information management policies and procedures that need to be revisited, and the failure to comply with even the basic mandatory minimums associated with regulations intended to reduce the risk of compromise of personal information. Applying even these basics to the protection of intellectual property and trade secrets is better than not protecting that information. But not all executives and all companies are coming up to speed quickly enough. And all the while, cyber attack sophistication is rising.
Cyber Attacks Result in a Wider Impact: The Community
The cost of cyber attacks can also be measured in terms of loss to the community. While most unfortunate, severe breaches, ones that result in the full impact of regulatory, legal, financial, and reputation risk, have formidable consequences. Employees lose jobs. The breached company pays less in taxes because it may be generating less revenue. Those jettisoned employees are paying less income tax because they are making less, and they may also be also drawing unemployment insurance and perhaps additional government entitlements such as subsidized health care. Municipalities are impacted because it becomes more difficult for homeowners to pay real estate taxes. The felt impact chain seems relentless and unending, yet these concerns are seldom part of the cyber breach impact discussion.
Even without a cyber breach to blame, the United States felt this kind of impact in the financial crash of 2007–2008. Most cyber attacks may not have this kind of highly consequential result. But on a smaller scale, it is worth considering the holistic impact that these types of breaches may have on the people who work for the breached companies.
Putting this in perspective, consider that stolen intellectual property and trade secrets bring a great deal of complexity to the question of determining the cost of a breach. Though it is difficult to place an absolute financial loss on breached intellectual property and trade secrets, consider that the total value of compromised secrets is possibly $1 trillion a year. The U.S. government estimates that approximately $250 billion to $300 billion a year is lost by U.S. companies through economic espionage.
Germany's Federal Office for the Protection of the Constitution (BfV) estimates that German companies lose $28–$71 billion and 30,000–70,000 jobs per year from foreign economic espionage. Approximately 70 percent of cases involve insiders.
South Korea says that the costs from foreign economic espionage in 2008 were $82 billion, up from $26 billion in 2004. The South Koreans report that 60 percent of victims are small and medium-size businesses and that half of all economic espionage comes from China.
Japan's Ministry of Economy, Trade, and Industry conducted a survey of 625 manufacturing firms in late 2007 and found that more than 35 percent of those responding reported some form of technology loss. More than 60 percent of those leaks involved China.
The important consideration is to recognize that cyber attacks have consequences, and those consequences can be measured in financial and other terms. It is not often the case that cyber breaches stimulate this track of thought, maybe because there is no one type of cyber attack. There is no one-size-fits-all cyber attack model. Every breach is different. Each company, based on its level of preparedness and defenses, is impacted to a greater or lesser degree. It matters what is being protected: regulated personal information or business secrets. It also matters, from a cost perspective, how long it takes before the breach is discovered. Some are identified rather swiftly, while others are discovered months or years later. The ability to identify cyber attackers sooner rather than later is based on several criteria: the technology in place to detect attacks, which is a direct reflection of the commitment and investment in that capability, and the level of sophistication of those attempting to penetrate the implemented defense.
The best advice is to try and prevent breaches by investing appropriately in the operational risk management processes and practices that will reduce the likelihood of a breach or the impact of one. Some organizations assume that breaches won't hit them. Maybe a few of them will be proven right. But most will be proven wrong.
Some have asked, “Well, what companies have gone out of business because of a breach?” Or they will ask, “What company stock has suffered because of a breach?” These are reasonable questions. The first answer is this: Don't let the past be a guide. We live in a rapidly changing environment. Just because it didn't happen in the past doesn't mean that it won't happen in the future. But there's another part of the answer. Since many breaches are never reported, their impacts do not become public. This is the shark fin perception. Reported breaches are like shark fins. Visual conformation of a shark fin gives rise to caution. Reported breaches are the visible representations of what we perceive about the threat and its result. But it's the body of the shark, beneath the surface, that is the real threat, and that is what we don't see until it is too late. This is like the unreported breach. We don't really know what it looks like, who did it, why it was done, or what the impact will be. We don't know because there is no visual representation of it. It may as well be invisible. Basing our perceptions about hacking on what is available in the press is misleading and even dangerous. Most breaches are simply never reported, so the visible truth is not consistent with the factual truth. And that's the factual truth.