That’s the word from the 2013 Global Corporate IT Security Risks survey conducted by B2B International, in conjunction with Kaspersky Lab.
Any cyber-attack can cause an array of damages for a company, from brand reputation loss to clean-up services – but not all of those costs are quantifiable. B2B’s assessment was based on information about losses sustained as a direct result of security incidents. This comprised two main components: Damage resulting from the incident itself – i.e., losses stemming from critical data leakage, business continuity and the costs associated with engaging incident remediation specialists; and unplanned ‘response’ costs required to prevent future, similar attacks, including hiring/training staff and hardware, software and other infrastructural updates.
After crunching the numbers, it appears that the majority of losses are caused by the incident itself. Lost opportunities and profits, as well as payments to third-party remediation specialists, average out at $559,368. “Response” expenses for hiring and training staff, as well as updating the hardware and software infrastructure adds an additional average payment of $57,800.
Interestingly, damages also varied depending on the region in which the targeted company operates, with Europe displaying a lower cost of damages than a number of other regions. For example, the largest damages were associated with incidents that involved companies operating in North America, followed closely by South America at $799,700.
The costs of a cyber-attack against small and mid-sized enterprises are lower than for large corporations. Nonetheless, considering the smaller size of these companies, the amounts still deal a significant blow, Kaspersky noted. The average loss resulting from IT security incidents for mid-sized European companies came in at roughly $55,000, of which approximately $25,000 is accounted for by the incident itself, while the remaining $16,700 comes from other associated expenditures.
Looking at the global statistics, the largest average losses from cyber-attacks among small and mid-sized businesses were recorded at $94,300 for companies in Asia-Pacific. Second place went to companies in North America, with average losses of $80,600. The lowest losses from cyber-attacks were seen in Russia, at $21,300 on average.
The survey also revealed that in some cases the financial losses incurred by small companies are accompanied by other losses amounting to approximately 5% of annual revenues. In one case, a company lost all of its business in a region where it had been successful prior to the incident.
“A key lesson to be drawn from this study is that even the most destructive and expensive attacks could have been prevented,” Kaspersky said. “Attacks exploited holes in company security that could have been patched up if only the targeted corporations had used quality IT security solutions and managed IT infrastructure appropriately.”