Some £406,000 is the average cost incurred by large European companies in the wake of a cyber-attack. That is according to the 2013 Global Corporate IT Security Risks survey, by B2B International, with Kaspersky Lab.
Any cyber-attack can cause damages for a company, but how can those damages be quantified in financial terms? In 2013, experts at B2B International calculated the damages stemming from cyber-attacks based on the results of a survey of companies around the world. To get the most accurate picture of costs, B2B included only incidents that had occurred in the previous 12 months; the assessment was based on information about losses sustained as a direct result of security incidents.
This comprised two main components:
– Damage resulting from the incident itself – ie. losses stemming from critical data leakage, business continuity, and the costs associated with engaging incident remediation specialists;
– Unplanned ‘response’ costs required to prevent future, similar attacks, including hiring/training staff and hardware, software and other infrastructural updates.
Researchers did not incorporate data about some losses and expenses incurred by a comparatively small number of surveyed companies, such as costs stemming from the need to release a public statement about the incident.
Cost structure
After crunching the numbers, it appears that the majority of losses are caused by the incident itself. Lost opportunities and profits, as well as payments to third-party remediation specialists, average out at £368,000. “Response” expenses for hiring and training staff, as well as updating the hardware and software infrastructure adds an additional average payment of £38,000.
Interestingly, damages also varied depending on the region in which the targeted company operates, with Europe displaying a lower cost of damages than a number of other regions. For example, the largest damages were associated with incidents that involved companies operating in North America — an average of £530,000, followed closely by South America at £526,000.
SME costs
The costs of a cyber-attack against small and mid-sized enterprises are lower than for large corporations. Nonetheless, considering the smaller size of these companies, the amounts still deal a significant blow. The average loss resulting from IT security incidents for mid-sized European companies came in at roughly £36,000, of which approximately £25,000 is accounted for by the incident itself, while the remaining £11,000 comes from other associated expenditures.
Looking at the global statistics, the largest average losses from cyber-attacks among small and mid-sized businesses were recorded at £62,000 for companies in Asia-Pacific. Second place went to companies in North America, with average losses of £53,000. The lowest losses from cyber-attacks were seen in Russia, at £14,000 on average.
The survey also suggested that in some cases the financial losses incurred by small companies are accompanied by other losses amounting to about 5 per cent of annual revenues. In one case, a company lost all of its business in a region where it had been successful prior to the incident.
