Cyber risk is one of the most feared business risks globally, due to the proliferation and growing sophistication of attacks. While cyber crime is certainly a significant risk, most businesses can survive attacks if they have the right measures in place to limit the damage.
In recent years, cyber attacks have been blamed for even major enterprises going out of business − for example, National Public Data, in the US, which filed for bankruptcy after a 2023 cyber attack, and Vodka maker Stoli Group's US subsidiaries, Stoli USA and Kentucky Owl, which filed for bankruptcy late last year, citing the fallout from a ransomware attack.
In the UK, reports suggested that up to 60% of SMEs went out of business within six months of a cyber attack. Even where organisations survive these attacks, their financial losses can be staggering. Last year, the IBM Cost of a Data Breach report found that the global average cost of a data breach topped $4.9 million − 10% higher than in 2023 and the highest total to date.
Despite the devastating impacts for some organisations, best practice approaches to cyber security, proper preparation and effective incident response can limit the damage and costs associated with an attack.
This is partly because progress has been made in technologies to mitigate risk, and cyber crime has become so prolific that it has practically become normalised.
Ten years ago, ransomware was a novel attack, most organisations were unprepared to combat it, and the cost of ransoms, lost business and penalties was enough to bankrupt them.
Now, organisations have become more diligent about doing proper on-site and multi-site backups and implementing solutions to recover from a ransomware incident. There are now incidents where organisations get their systems back up and running in under two days − without having to pay a ransom.
However, while organisations are less likely to be bankrupted due to ransom payments and downtime, there are serious new risks facing businesses − those of data exfiltration and reputational damage.
Because data exfiltration has become so lucrative for cyber criminals, many focus their efforts more on the data than on locking down systems. They may make money by selling access to systems and data, sell specific mailing lists, or they may use the data to commit fraud or identity theft.
Mitigating reputational risk
Reputational damage due to data exfiltration is a top concern for organisations today, because trust is very difficult to earn and very easy to lose. Lost trust due to a data leak not only impacts future opportunities, it also puts relationships with existing customers, partners and shareholders at risk.
Fortunately, cyber crime has become so widespread that customers and stakeholders are more understanding than they might have been 10 years ago. An organisation falling victim to a cyber attack is no longer the frontpage news it once was, and organisations that come under attack may take a financial knock that quarter but typically recover.
An organisation that can demonstrate it applied cyber security best practice, and which is effective and transparent in its response and communications, has every chance of minimising losses due to a cyber attack.
In fact, the IBM Cost of a Data Breach Report found that 75% of the increase in average breach costs in the 2024 study was due to the cost of lost business and post-breach response activities.
In general, public sentiment is most negative where a company tries to hide the fact that it has been breached, or attempts to minimise the extent of the breach. If the organisation was found to have neglected basic security hygiene and was breached due to pure negligence and systemic disregard, it would suffer a great deal more reputational damage than those that did their due diligence and accidentally slipped up.
Key to limiting backlash and reputational damage is showing that the organisation took all the recommended security measures and applied best practice to minimise the impacts of cyber crime. These include regular vulnerability assessments and penetration testing, robust incident response planning and testing.
After a breach, it is also important to notify the correct authorities, keep key stakeholders informed and communicate what actions the company is taking to prevent a similar incident from occurring in future.
Share