The costs and fallout from a cyber security breach extend far beyond revenue losses, impacting jobs, mental wellbeing, trust and future business.

This is according to cyber security experts within the Cyber Security Special Interest Group (SIGCyber) of the Institute of Information Technology Professionals South Africa (IITPSA).

 

Financial costs

Bryan Baxter, SIGCyber member and enterprise account manager at BC Technologies, says: “Estimating the true cost of a cyber security breach is challenging.  According to the latest IBM® Cost of a Data Breach report, the global average cost of a data breach is $4,88-million, with South Africa estimated at $2,78-million.”

The costs of each breach vary, however. He says the impact of a cyber breach could be determined through a number of variables, including the nature and size of the business and the organisation’s level of preparation.

Baxter says: “The costs of a cyber breach can range from thousands to millions of Rand. For example, costs for a Business Services organisation (turnover: R100-million, 100 employees) and a Manufacturing organisation (Turnover: R1,146-billion, 11 000 employees) range from, approximately, R3,29-million to R44,49-million. Following a breach, an investigation is required to determine the extent of the breach, the data affected, how many records were involved, the source of the breach and whether the breach has been contained. These investigations may require the assistance of cybersecurity experts. Of course, the larger the breach, the higher the cost of resolving it.”

 

Big impacts on smaller entities

SIGCyber member and a Professor in the School of IT at Nelson Mandela University, Professor Kerry-Lynn Thomson, points out that while massive financial losses make headlines, individuals and small businesses can also suffer catastrophic losses due to cyber security breaches.

“When cyber breaches occur, it is most often the large organisations that grab the headlines. However, each day, individual online users are affected by cyber breaches – the cost of which can be complex and devastating,” she says.

Prof Thomson says: “Individuals affected by cyber breaches are, most likely, not skilled cybersecurity professionals and would have to deal with the consequences or cost of the cyber breach on their own. The cost of a cyber breach for individuals could range from the inconvenience of changing passwords, securing accounts, and dealing with long-term privacy concerns from exposed sensitive information – to, more seriously, direct financial loss, such as stolen funds or the cost of recovering from identity theft, including legal fees.

“Further to this, individuals may have to spend a significant amount of time to address cyber breaches, including contacting financial institutions or authorities. In the case of identity theft, for example, it is estimated that it could cost individuals an average of 200 hours of their time in resolving these issues.”

From an emotional point of view, victims often experience stress and anxiety caused by an invasion of privacy and financial losses, she adds. “The sense of violation that comes from having private data exposed could lead to victims feeling vulnerable and helpless. Many victims also struggle with the loss of trust, not only in the affected platforms or services, but also in the broader digital environment, making them hesitant to engage in online activities they once took for granted.”

Therefore, while it is difficult to quantify the cost of a cyber breach for individual online users, there is no doubt that it affects not only their financial stability, but also their emotional well-being and quality of life, she says.

 

Racking up indirect costs

SIGCyber member and Nexio head of department, Doctor Mafuwafuwane, says: “Apart from the immediate financial expenses related to data recovery, system repairs, forensic investigations and potential fines from regulatory bodies, organisations often suffer reputational harm, leading to a loss of customer trust, decreased sales and diminished market value, which are challenging to quantify.

“Additionally, legal costs resulting from lawsuits or non-compliance issues further compound the financial impact that organisations must bear, highlighting the fact that the effects of a cyber breach extend well beyond the initial incident.”

Individuals also face distinct consequences from cyber security breaches, including emotional distress, identity theft and the loss of personal information. These personal repercussions can result in expenses for restoring compromised accounts, monitoring credit and combating fraudulent activities, he adds.

On a personal level, the rise in scams and identity theft in South Africa further demonstrates how breaches affect financial stability and mental well-being, underscoring the need to comprehend the multifaceted costs of cybersecurity breaches.

“The psychological burden, which includes concerns about personal safety and disruptions to daily digital activities, can have significant implications for overall well-being. Therefore, gaining a comprehensive understanding of the financial ramifications of a cyber breach in South Africa necessitates an analysis that considers both direct and indirect effects on a diverse range of stakeholders,” Mafuwafuwane says.

 

Cyber security skills costs

Fellow SIGCyber member and Professor in the School of IT at Nelson Mandela University, Professor Lynn Futcher, says that a cost often overlooked is the cost of cybersecurity professionals who need to detect, protect from, defend against, respond to and recover from cyber breaches.

Prof Futcher notes: “Cybersecurity professionals are required to keep up-to-date with the latest technologies and stay abreast of the ever-changing threat landscape while working long hours, often under high-pressure conditions, to monitor and defend against threats in real time. This demanding work environment can lead to burnout, high-stress levels, and mental health challenges, which can reduce the effectiveness of cybersecurity teams and lead to high turnover rates.

“To attract and retain top cybersecurity skills and talent, organisations should invest substantially in recruitment and competitive compensation packages. This includes not only salaries, but also benefits, bonuses, and other incentives (including flexible work arrangements, generous vacations, and paid time off) to keep these professionals motivated, even under challenging conditions,” she says.

There are costs to the professionals themselves, she adds: “The responsibility of safeguarding critical data and infrastructure from persistent cyber threats is often mentally exhausting. Organisations must therefore acknowledge and recognise this, and provide adequate support, especially from top management, as well as mental health and wellness programs, to ensure the well-being of their cybersecurity teams.

“While the financial, legal, and reputational costs of cyber breaches are significant, the human costs related to the cybersecurity professionals who protect organisations are equally important. Investing in the well-being, education, and retention of these professionals is crucial for building a resilient team of cybersecurity professionals,” Prof Futcher says.

 

Reducing breach costs

Baxter notes: “The costs of a breach are impacted by the ability of the internal cyber response team to respond to the particular incident, as well as the type of data compromised. For example, customer personally identifiable information (PII), personal financial information, or health information can incur the highest costs. Further, the duration of the cyber breach, and how long it takes to resolve, will have an impact on an organisation, as well as whether cyber insurance is in place.”

Those organisations with strong incident response plans typically save significantly on cyber breach costs, Baxter says.

As the cost of cyber breaches can be so significant, it is vital for organisations to have skilled internal cyber response teams and should consider a skilled ransom negotiator, Baxter says.  He warns that preparing for a cyber-attack after it happens is too late – incident response, and related activities, should be planned for well in advance. Basic cybersecurity hygiene is essential and a risk assessment should be conducted to identify and protect an organisation’s most critical assets. Possible high-impact scenarios should be prepared for and practiced through simulations.