Hackers broke into the computer system of Norsk Hydro, a global aluminum producer, in 2019. Once they got a foothold in the company's environment, the criminals spent weeks exploring the IT systems looking for more vulnerabilities. When they finally launched the ransomware attack, 22,000 computers were hit in 40 different countries. The entire workforce, a total of 35,000 people, had to resort to pen and paper. Production lines that shape molten metal were switched to manual functions. Retired workers returned to help their colleagues do things "the old-fashioned way".
The cyber attack cost Norsk Hydro a bill of $75 million.
Data breaches are becoming increasingly expensive
The financial impact of suffering a data breach remains high for companies of all shapes and sizes. The cost of a data breach in 2020 averaged US$3.86 million, according to a report by IBM and the Ponemon Institute.
The survey shows a 10% increase in costs over the last five years.
These are direct costs, such as regulatory fines and time and effort to deal with the attack, and indirect costs, such as lost business opportunities and customer churn due to damage to the brand's reputation.
In addition, it is important to consider that in the case of attacks, the slowness to detect and contain a breach makes the final bill more expensive. Companies that contained a breach in less than 200 days spent an average of US$1.1 million less than those that took longer. In other words, quick responses save money. But it's the minority. The IBM report says that companies took, on average, a total of 280 days to identify and contain a breach.
Here, time is money for a simple reason: the more time an attacker has inside an environment, the more access they will gain to different devices, data, accounts and sensitive information.
German, Canadian and South African organizations are the fastest at finding and containing violations: 160, 226 and 228 days respectively. Companies in the Middle East (380) and Brazil (369) took the longest. Among the sectors that took the longest were healthcare, the public sector and entertainment: all with an average of more than 310 days.
When they finally detect the problem, companies often believe that the costs of the incident will be one-off and momentary. And that once they've fixed the visible damage, they'll move on and get back to business as usual. Not so.
The damage lasts for a long time after an attack. For years even. Around 61% of the damage is felt in the first year, 24% in the next 12 to 24 months, and the final 15% appears more than two years later.
Another factor to consider when calculating the costs of a breach is that remote working makes incidents more expensive. According to IBM, having a remote workforce increases the average total value because organizations now face a lot of decentralization. And there are new network structures reaching private, insecure or unknown networks. Changing the end-point environment complicates incident response.
How much did unprepared organizations pay in 2020?
The costs of a data breach are decreasing for prepared companies that have decided to adopt effective cybersecurity practices. Organizations that have not yet taken any precautions, on the other hand, will face significantly higher costs.
Unprepared companies paid an average of $8.19 million per breach, which is 5.3% more than in 2019. The most expensive information lost in attacks was customer PII records, involved in around 80% of breaches.
In fact, almost 40% of the average total cost of a data breach stems from lost business. This includes lost revenue due to system downtime and the increased cost of acquiring new business due to reputational damage. This has increased from $1.42 million in the 2019 study to $1.52 million in the 2020 study.
How to reduce the cost of a breach?
The main advice for keeping the cost of a breach down is to have adequate visibility of your environment and ensure robust and tested offline backups. The trend is for modern, digital companies to look for solutions capable of identifying if any digital assets of the protected brand are mentioned, and of alerting and acting quickly against the risk. This way, they will be able to dismantle cybercriminal actions planned on the dark web before they happen.
That's why the key to solving data security challenges is technology that monitors the depths of the internet, from the Surface to the deep and dark web, providing 360° visibility. This means brand protection, information leak detection and executive security.
Expanded use of encryption, automating security wherever possible, tested business continuity plans and a SOC can also reduce the potential cost of a breach.