It was a Friday afternoon when the first signs of a computer security problem emerged at the Sydney based professional services business. An infected zip file had arrived, ostensibly from a client, been opened and rogue code began working alphabetically through the business’s files, locking each one as it went.
The managing director, who does not wish to be identified publicly, literally pulled the plug on the computer and called in the IT services supplier. Rather than pay a ransom the company decided to reboot from its backup.
The company had regularly been assured by its IT supplier that its backups were all in order and secure. But when push came to shove, the backup hadn’t worked and more than seven months of files were lost.
Since June the business has had to painstakingly recreate the files from emails and attachments. It has cost about A$10,000 in terms of the hours devoted to the rebuild – but it’s hard to quantify the cost of the dent to its reputation.
“I might just pay [a ransom] next time,” says the managing director.
And there likely will be a next time as computer security is a growing issue in Australia for businesses of all scales.
In its first unclassified threat report the Australian Cyber Security Centre notes that in 2014, CERT Australia, the national computer emergency response team, responded to 11,073 cyber security incidents.
The cost of breaches varies significantly but when the Ponemon Institute and IBM surveyed 350 global enterprises they found that on average the cost of an Australian data breach was A$2.82m.
Admittedly just 23 Australian businesses were surveyed for the Cost of Data Breach Survey released in May this year, but 43% of them had endured a security breach during the previous 12 months. That relatively small sample may explain why Australia apparently fared better than the US where the average cost of a breach rose from US$3.52m to US$3.79m (A$5m to A$5.38m) over the space of a year.
The survey deliberately excludes what it terms “catastrophic breaches” involving 10,000 records or more in order to avoid skewing the findings for most companies. What it does attempt to price however are the direct costs of a breach such as fees for forensic experts, outsourced hotline support, free credit monitoring subscriptions and discounts for future products and services. It also factors in indirect costs such as in house investigations and communications, and extrapolates the likely impact of declined turnover and reduced customer acquisition rates after an attack.
But as Steve Ingram, cyber services leader for PricewaterhouseCoopers in Asia Pacific, says, the recent Ashley Madison hack demonstrates that the actual costs of breaches can stretch beyond mere money.
“Ashley Madison was not just about embarrassment, in some societies adultery is a capital crime,” he notes.
According to Ingram last year there was a 48% increase in cyber incidents, with two happening every second of every day. PWC’s statistics align roughly with Ponemon’s – it says it costs enterprise roughly A$3m per breach – and could be much higher for some organisations – for example a bank or retailer which may need to replace credit cards for millions of customers.
While A$3m is the average cost Ingram says; “We saw a doubling of incidents costing over A$23m in total.”
While he acknowledges increased interest in cyber insurance Ingram says that such policies have yet to be fully tested – and wonders whether there would be any payouts if the breach was ultimately discovered to be an inside job.
Roger Smith leads cyber insurance group in Australia at Allianz, which launched its cyber insurance product in February 2014 and is currently focused on serving the needs of enterprise scale customers.
Asked how much enterprises were currently seeking to insure themselves for Smith said there was a diverse range from around $500,000 to $50m.
He says; “Increasingly organisations are recognising the exposure cyber risk represents under traditional insurance policies like directors and officers liability and also areas of risk which may not be insured such as damage to the company’s reputation.”
The biggest risk that companies face says Smith is business interruption, but the anticipated introduction of mandated data breach notification in Australia will also inject additional cost.
In the US, where data breach reporting is mandated, Allianz aligns with other estimates when it says it can cost $US130 a record to notify and fix.
Smith says that the dynamic nature of the cyber security risk and lack of historical actuarial data remains a particular challenge for insurers.
When it comes to pricing premiums Smith acknowledges that; “The lack of information presents a challenge when coming up with a rating structure.” He says that instead of relying on a formulaic approach to pricing risk which had limited value, Allianz works closely with organisations to analyse the activity of an organisation seeking insurance, its approach to security and the overall culture of the enterprise in order to understand and then price the risk profile.
Read more about the cost of a cyber security breach
Security experts say the data breach at US retailer Target in late 2013 could cost way more than the $162m cost declared by the company
Data breaches are only a matter of time so companies need to know what to do to prevent, respond and contain breaches when they happen
Without evidence, CIOs and CSOs struggle to prove to hospital leaders that cyber security is crucial against threats to PHI security. A multi-group report aims to give IT the ammo it needs.
John Wheeler, Gartner research director, says that when calculating the total cost of a breach it is important to add in the breach notification costs, crisis communications, forensic investigation, legal defence, even extortion fees.
While some of these costs could be covered by a cyber insurance policy, not all would.
Business interruption meanwhile could be covered by other insurance policies although Wheeler acknowledges it could be difficult to get paid out because of the often vague definition of business disruption. As a general rule Wheeler says cyber insurance does not cover the reputation costs – only recognizing cost recovery for fixing a breach.
Despite the limitations of insurance, there is a growing appetite for protection.
Four to five years ago Wheeler says it took an attack before management took cyber risk and the need for cyber insurance seriously. That’s no longer the case.
“We see more customers proactively seeking this sort of insurance driven by their boards,” says Wheeler.
High profile breaches such as those at Sony, JP Morgan and Target in the US, and Telstra and Optus in Australia have placed companies and their boards on high alert.
“We saw after the Sony attack they went for six months without an email – the impact and cost depends on the business continuity of the organisation. The greater costs are around reputation if the brand is damaged.
“A retailer or a financial services organisation can quickly spiral into a situation where they have customers leave.”
And that gets pricey real quick.