Evaluating the potential cost of a cyber-attack

Organisations are becoming much more aware of the threat of cyber crime, but many are still finding it difficult to translate this threat into real business terms.  The potential impact of a successful cyber-attack on your business’s bottom line is not that easy to define, because attacks could range from a “drive-by” denial of service attack through to the targeted theft of intellectual property. 

The first step therefore is to try to understand what within your business a cyber attacker may see as being valuable enough to warrant an attack.  These may include:

  • Theft of your business’s proprietary information (or intellectual property)
  • Theft of personal data held by your business for the purposes of financial fraud or identify theft
  • Denying your customers or business partners access to important on-line services
  • High-jacking your IT infrastructure for use in perpetrating further computer crimes
  • Defacing your on-line cyber profile, i.e. corporate web sites, social media presence

Once you have an understanding why your organisation may be be attacked and the likely targets of the attacks, you can start thinking about the financial impact should an attack be successful:

  • The cost of IT disruption and recovery. How much will it costs IT to upgrade or replace defenseless servers, or implement new defenses en masse after a successful cyber-attack
  • The impact on your share price or market valuation. The share price of a financial services provider was hit when news broke that it had sustained a cyber-attack. The breach affected several million of the company’s private and business clients, and stripped several billion from its market capitalization. This sort of impact can put the generally low IT expense of added protection in proper context when discussing the potential ramifications with the senior management.
  • The impact on your ability to operate effectively and competitively. Where does all the data sit that holds the findings of years of research into your new products and that supports your IP? Theft or corruption of this information could destroy future revenue streams for your business as well as your competitive advantage.
  • The impact on customers, on your brand or reputation. Imagine a company suffers from a cyber-attack, and thousands of credit card details and other customer data are stolen. The actual direct losses to the company are far less significant than the damage to its reputation and customer loyalty. The cost of restoring trust among customers would be significant.

Using these tips will help you make the case for improving your organisation’s cyber defences, as it will allow you to tap into the main concerns of senior management by putting cyber security in a context the board will understand.