One of the great ironies of cybersecurity is that two of the attacks that have gained the most global notoriety have inflicted the least amount of economic damage. The entities behind WannaCry and the latest variant of the Petya ransomware attacks have demanded $300 in Bitcoin payment to decrypt data. In the case of WannaCry the attack was disrupted when cybersecurity experts figured out how to disrupt the attack by implementing a kill switch. In the meantime, an Internet service provider in Germany has blocked the email address that victims of the latest global ransomware were supposed to direct their payments. Speculation as to whether the global attention this attack generated was worth the risk caused cyber criminals to reconsider their actions or whether this attack is a cyber espionage attack that spun out of control runs rampant.
Both the WannaCry and Petya attacks forced the organizations that were victimized to incur costs that went beyond the ransom itself. After all, cleaning up after a cyberattack is no small endeavor. The trouble is that most of those costs are soft. Too often business executives don’t appreciate the real costs being incurred in terms of overall disruption to business that spans everything from time and effort spent hunting for and removing malware to brand reputation and potential fines that may be levied by any number of government agencies or regulatory bodies.
A report from The Ponemon Institute published this week in collaboration with IBM finds the cost of a data breach last year in the U.S. grew five percent from $7.01 million to $7.35 million. The good news is that report also found that the total cost of a data breach decreased 10 percent globally to $3.62 million, down from $4 million last year.
Factors leading to increased costs in the U.S. include:
- Cost of notification in the U.S. was $690,000 per company on average – more than 2.5 times the cost in any other region
- “Rush to notify” increased costs by $5.50 per lost or stolen record globally. This process costs 50 percent more in the U.S than in Europe.
- “Compliance failures” increased costs by $11 per lost or stolen record. That number is 48 percent higher in the U.S. than it is in Europe.
From an IT security perspective, the most eye-popping findings in the report are that it takes on average 191 days for an organization to identify a breach and 66 days to contain it. The “good news” is that organizations that contain a breach in less than 30 days incur on average $1 million less in costs ($2.83M versus $3.77M)
The trouble is that most of these costs are hidden in the sense that the average business executive doesn’t seem them all tallied up in one neat spreadsheet. Because of that lack of visibility IT security as a whole still doesn’t get the level of attention it should. The one positive element of attacks such as WannaCry and Petya is that despite the limited amount of ransom being paid the fact that they occur simultaneously does more to raise cybersecurity awareness than any public service message or warning from the internal IT organization could ever achieve.
The degree to which that awareness changes end user behavior, of course, remains to be seen. But at the very least there’s cold comfort to be had in the fact that most end users by now that have not at least heard of these attacks must be safely living somewhere under a rock that may not ever have warranted being protected in the first place.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.