According to an ENISA report, attacks on critical infrastructure can cost organizations up to €15 million.
It deemed that Critical Information Infrastructures (CIIs) provide resources upon which society depends, and cybersecurity incidents affecting CIIs are nowadays considered global risks that can have “significant negative impact for several countries or industries within the next 10 years”.
The report found that the most common attack types for the financial sector and ICTs are DoS/DDoS and malicious insiders, with the latter affecting the public sector too, while the most expensive attacks are considered to be insider threats, followed by DDoS and web-based attacks. Data appears to be the most valuable asset.
It also claimed that the cost of cybercrime can reach values as high as €15 million per organization a year, or 1.6% of the GDP for some countries, while business disruption represents the highest external cost, followed by the costs associated with information loss.
Charles White, CEO of IRM, comments: “With so many variables involved in cyber-attacks, it’s unsurprising that ENISA has found problems with the way cost reports are calculated."
“The cost of a breach to each organization can vary enormously depending on what assets are targeted, how important they are to this particular company, and what recovery capabilities they currently have. The theft of the exact same set of data could incur wildly different costs on two organizations based on the way they utilize the data and how quickly they can get back on track.”
White pointed at its Risky Business Report which found that more than a third of CISOs have no clear idea of what assets their businesses have or where they are located on the network, while only 28% regularly conduct exercises to categorize and value the data within their IT estate.
“Without this information, organizations have little hope of calculating how much a breach could cost them, which also makes effective budgeting very difficult,” he said. "CISOs not only need to be aware of the value of their assets, but they also need to effectively communicate the associated risks and costs to the board if they are to effectively protect them.”