C-suite. What If You Got Hacked? Do The Math!

hack costCaption: We’ve compiled a few ‘what if’ questions to get the C-suite thinking about the financial impact of being impact.

If your C-suite isn’t aware of the Key Risk Indicators about cyber security, maybe it’s because your company thinks it’s 100% secure. But what if your defenses aren’t as good as you think? We’ve compiled a quick ready reckoner for the C-suite to work out some of the major costs of being hacked.

Here’s three sobering questions for the C-Suite:

– What if your company lost 20% of its market value in a month?
– What if you lost 2.5% of customers in 2 months?
– What if 6.25% of your cash reserves disappeared overnight?

For the directors of, respectively, Yahoo, TalkTalk and Bangladesh Bank, those nightmare questions aren’t hypothetical … they are based on real life events. There’s more about each story below.

And Sergio Loureiro, CEO of SecludIT, says that no company on earth can afford to be complacent about the risk. “We’ve carried out many thousands of corporate network vulnerability scans,” Sergio says, “and over 98% of them have shown vulnerabilities that could be exploited by hackers.”

To help the C-suite understand their own cyber risks, SecludIT have launched the Key Risk Indicators. But more about that later.

To quote a recent article from Harvard Business Review (link below): “Most managers rely on qualitative guidance from “heat maps” that describe their vulnerability as “low” or “high” based on vague estimates that lump together frequent small losses and rare large losses. But this approach doesn’t help managers understand if they have a $10 million problem or a $100 million one, let alone whether they should invest in malware defenses or email protection. As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient cybersecurity insurance protection.”

Sergio says that SecludIT’s Slideshare presentation about The real cost of ignoring network security shows that companies – even SMEs – could expect some direct costs, such as:

– $500,000 average legal defense.
– $1,000,000 average legal settlement.
– $700,000 average data center costs.

Plus there’s also the intangible costs of loss of brand value and enterprise value on the balance sheet due to hacking.

But it doesn’t stop there. Here’s three more specific costs that other CEOs have faced.

 

Q1. What if a cyber attack cost you 20% of your market value?

You’ve probably read recently that Yahoo reported a breach that involved some 500 million customer email details being compromised, including passwords.

At the time, Yahoo was in the process of being acquired by Verizon for some $4.8m in cash … but as a result of the hack, Verizon reduced their offer by $1 billion (see Investor.com link below).

So the first question for the C-suite to contemplate is, ‘what if our market capitalization reduced by 20%’.

 

Q2. What if a cyber attack cost you 2.5% of your customer base?

At the time of the UK’s TalkTalk hack (Oct 22, 2015), The Financial Times (link below) was reporting that the telecom provider had “…warned its 4m customers that personal information may have been stolen following a “significant and sustained” cyber attack.”

Just over two months later (Feb 2, 2016), The Daily Telegraph (link below) revealed that TalkTalk had lost 101,000 customers as a result of the cyber attack. That’s around 2.5% of the company’s customer base.

No wonder the The Daily Telegraph also quoted TalkTalk’s boss, Dido Harding, as saying: “(The) harsh truth that no business can say they’re doing enough on adding security to their systems.”

 

Q3. What if a cyber attack cost 6.25% of your cash reserves?

The Bangladesh Bank (see Reuters link below) was hacked for $80 million. However, only a spelling mistake stopped the cyber criminals from getting away with $1 billion.

The Central Bank of Bangladesh (link below, as of Sept 29, 2016) report that they have ‘Total currency and deposits’ of $16.5 billion’. So had the hackers not made a typographical error, they might have got away with 6.25% of the bank’s ‘currency and deposits’ figure.

Bangladesh Bank spokesperson Subhankar Saha said: “There might have been a deficiency in the system in the SWIFT room. Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system.” Website Digital Trends (link below) suggested that the bank had previously economized by using $10 switches.

 

Now compare the potential cost of being hacked to the cost of a KRI audit.

By the time the C-suite have factored in all the potential tangible and intangible costs above, the likely cost of a cyber attack could be tens of millions of dollars.

But for around the cost of an office copier, SecludIT can provide your company with a detailed Cybersecurity Key Risk Indicator report for the CISO and the C-Suite.

This popular scan probes the network for over 60,000 vulnerabilities and, in addition to a the C-suite report, also gives a prioritized fix list – with remediation tips – for the IT team. The KRI report is based on the standards defined by three IT security bodies:

1. OWASP – Global security standards.
2. ANSSI – Secure trading in Europe.
3. PCI-DSS – eCommerce payments standards.

Our technical team will help you run a KRI scan on your cloud, physical or hybrid network. SecludIT’s ‘Elastic Detector’ has safely performed millions of scans for companies around the world. Our technology is low-overhead, so causes no user disruption and has no impact on network responsiveness or features. You will see the first actionable results in a morning.

 

Research sources for the cost to businesses of a cyber attack.

SecludIT Slideshare presentation.
The real cost of ignoring network security.
http://www.slideshare.net/SecludIT/cost-of-ignoring-network-security

Harvard Business Review.
Can You Put a Dollar Amount on Your Company’s Cyber Risk?
https://hbr.org/2016/10/can-you-put-a-dollar-amount-on-your-companys-cyber-risk

Investor.com
Verizon Seeking $1 Billion Yahoo Price Cut; Will Yahoo Investors Care?
http://www.investors.com/news/technology/verizon-said-to-want-1-billion-yahoo-price-cut-will-yahoo-investors-care/

The Financial Times.
TalkTalk warns 4m customers after cyber attack.
https://www.ft.com/content/29d7b000-7902-11e5-8564-b4bb9a521c63

The Daily Telegraph.
TalkTalk loses 101,000 customers after hack.
http://www.telegraph.co.uk/technology/2016/02/02/talktalk-loses-101000-customers-after-hack/

Reuters.
How a hacker’s typo helped stop a billion dollar bank heist.
http://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-idUSKCN0WC0TC

Central Bank of Bangladesh.
Official reserve assets.
https://www.bb.org.bd/econdata/or_assets.php

Digital Trends.
$10 switches cost Bangladesh’s central bank $81 million.
http://www.digitaltrends.com/computing/bangladesh-bank-heist/

Leave a Reply