The average cost incurred by large companies in the wake of a cyber-attack is $649 000, according to the 2013 Global Corporate IT Security Risks Survey conducted by B2B International, in conjunction with Kaspersky Lab.
In 2013, experts at B2B International calculated the damages stemming from cyber-attacks based on the results of a survey of companies around the world.
In order to get the most accurate picture of costs, B2B included only incidents that had occurred in the previous 12 months; the assessment was based on information about losses sustained as a direct result of security incidents.
This comprised of two main components:
* Damage resulting from the incident itself – that is, losses stemming from critical data leakage, business continuity, and the costs associated with engaging incident remediation specialists; and
* Unplanned “response” costs required to prevent future, similar attacks, including hiring/training staff and hardware, software and other infrastructural updates.
Researchers did not incorporate data about some losses and expenses incurred by a comparatively small number of surveyed companies, such as costs stemming from the need to release a public statement about the incident.
It appears that the lion’s share of losses are caused by the incident itself — lost opportunities and profits, as well as payments to third-party remediation specialists, average out at $566 000.
“Response” expenses for hiring and training staff, as well as updating the hardware and software infrastructure adds an additional average payment of $83 000.
Incidentally, damages may vary depending on the region in which the targeted company operates.
For example, the largest damages were associated with incidents that involved companies operating in North America – an average of $818 000. The number was only slightly lower in South America at $813 000. Europe saw a lower, but still substantial average amount of losses from cyber-attacks, coming in at $627 000.
The costs of a cyber-attack against small and mid-sized enterprises are lower than for large corporations. Nonetheless, considering the smaller size of these companies, the amounts still deal a significant blow.
The average loss resulting from IT security incidents for mid-sized companies came in at roughly $50 000, of which approximately $36 000 is accounted for by the incident itself, while the remaining $14 000 comes from other associated expenditures.
The largest average losses from cyber-attacks among small and mid-sized businesses were recorded at $96 000 for companies in Asia-Pacific. Second place went to companies in North America, with average losses of $82 000. In Europe the figure appeared to be $55 000, in South America – $45 000. The lowest losses from cyber-attacks were seen in Russia, at $21 000 on average.
The survey also revealed that in some cases the financial losses incurred by small companies are accompanied by other losses amounting to approximately 5% of annual revenues. In one case, a company lost all of its business in a region where it had been successful prior to the incident.
A key lesson to be drawn from this study is that even the most destructive and expensive attacks could have been prevented. Attacks exploited holes in company security that could have been patched up if only the targeted corporations had used quality IT security solutions and managed IT infrastructure appropriately.