Cyber attacks are increasingly costly for organizations and consumers. In 2021, the global average cost of a data breach was $4.24 million, the highest in 17 years of tracking by IBM. Ransomware attacks alone cost organizations over $20 billion globally in 2021. Why do cyber attacks impose such high costs, and what factors drive up the price tag?
The multifaceted impacts of cyber attacks
Cyber attacks incur costs across many areas:
Business disruption and lost productivity
Cyber attacks often severely disrupt business operations. After an attack, organizations may be forced to shut down IT systems entirely to contain the incident. This leads to downtime and lost productivity across the business. Employees are unable to work efficiently without access to critical systems. Business processes grind to a halt.
For example, when retailer Target suffered a major data breach in 2013, the company estimated the incident led to $291 million in lost sales in Q4 alone due to disruption from the attack.
Incident response costs
Organizations face steep costs to respond to and recover from a cyber attack. Technical investigation, malware removal, system restoration, forensic analysis, legal expenditures and communications all quickly add up.
The more widespread and severe an attack, the higher incident response costs climb. For instance, Equifax estimated it spent $400 million on incident response and legal proceedings associated with its 2017 data breach.
Reputational damage and customer loss
Cyber attacks often inflict lasting reputational damage on victim organizations. Customers lose trust after their data is compromised. Equifax saw its stock price plummet 30% in the aftermath of its breach.
This reputational fallout translates into customer loss and reduced revenue over time. Target estimated that its 2013 breach scared away droves of customers, causing sales to fall 46% in the fourth quarter.
Regulatory fines and legal liabilities
Organizations that suffer breaches may face sizable regulatory fines for violating data protection laws. They also often face class action lawsuits filed by customers whose information was exposed.
For example, Equifax agreed to pay up to $700 million to settle with regulators and consumers after its 2017 breach. British Airways was fined £183 million by the UK’s data protection authority for a 2018 breach.
Increased cyber insurance costs
After an incident, organizations often face much higher cyber insurance premiums at their next renewal, assuming coverage is even still available. Insurers hike rates significantly for policyholders with a breach history.
For instance, Moss Adams found that ransomware attacks led to 50-100% increases in cyber insurance premiums for victims. Rate hikes ranged from 30-200% for other cyber incidents.
Why ransomware attacks are so costly
Ransomware is one major attack type that imposes especially high costs on victims:
Ransom payments
Many organizations decide paying the ransom is the quickest way to regain access to encrypted systems and data. In 2021, the average ransom payment was $570,000, up 82% from 2020.
However, paying the ransom is no guarantee files will be recovered, and it incentivizes more attacks.
Business disruption from data and system encryption
Ransomware rapidly spreads through networks, crippling devices by encrypting crucial files and data. Entire operations come to a standstill as workers lose access to systems and info needed to perform their jobs.
For example, when ransomware struck meat processing giant JBS Foods in 2021, the company was forced to shut down plants that produce 22% of America’s beef supply.
Costly rebuilding of systems and data
Even after the attack is contained, enormous effort is required to rebuild systems and restore data from backups. This process can take weeks or longer depending on the scale of encryption.
For instance, TransUnion took nearly a month to fully restore operations after a 2022 ransomware attack due to the complexity of rebuilding thousands of servers.
Knock-on impacts across supply chains
Ransomware attacks on large companies frequently cascade down supply chains as operations remain shuttered. This magnifies costs as countless partner businesses lose revenue.
When ransomware struck logistics giant Maersk in 2017, the attack completely paralyzed operations at 76 port terminals worldwide, causing knock-on impacts across global shipping.
Why healthcare cyber attacks are so expensive
Healthcare organizations often face the highest costs from cyber attacks:
High per-record data breach costs
In 2021, data breaches cost healthcare organizations $9.23 million on average. This is significantly higher than any other industry.
Why? Healthcare firms suffer immense damage from loss of highly sensitive patient data like medical histories, SSNs, diagnoses, and treatment info.
Disrupted patient care and safety risks
Cyber attacks endanger patient health and safety when medical devices, diagnostics systems or EHR access are disrupted.
In 2020, a ransomware attack forced a patient to travel over 20 miles to get life-saving care after the targeted German hospital became unable to accept emergency patients.
HIPAA noncompliance fines
Breaches that expose protected health information (PHI) often saddle healthcare organizations with steep HIPAA fines for regulatory noncompliance.
Covered entities can face penalties up to $1.5 million per violation. Business associates face fines up to $150,000 per violation.
High costs to notify patients
After a healthcare data breach, HIPAA requires the organization to notify every impacted patient by letter. Just the administrative costs of mailings alone can exceed $1 million for large breaches.
For instance, a 2014 attack on Community Health Systems impacted 4.5 million patients, incurring enormous costs to mail notifications.
Factors that influence cyber attack costs
Several key factors drive up costs when an attack occurs:
Delayed detection and response
The longer an attacker remains undetected inside systems, the higher incident costs go. Quickly spotting and containing an intrusion minimizes damage and remediation expenses.
According to IBM research, breaches identified and contained within 200 days cost $3.05 million less on average than those going undiscovered for months or years.
Extent of encryption and destruction
More extensive encryption and corruption of systems and data translates into much higher recovery costs for victims. Ransomware incidents where 50% or more of data gets encrypted cost on average $2 million more to remediate.
Number of compromised records
As more customer, patient, and other records get exposed, regulatory fines, legal liabilities, and administrative costs for breach notifications scale up dramatically.
The average cost of a data breach rises by $50 for each additional compromised record, according to IBM and the Ponemon Institute.
Presence of sensitive data
Breaches cost more when sensitive information is involved, like healthcare records, financial data, intellectual property, and personal information like Social Security numbers.
The loss of each healthcare record costs $499 on average – far above the $161 cost for exposure of an average retail record.
Revenue size of the victim organization
Breaches at large companies with over $1 billion in revenue have much higher absolute cost than smaller firms. However, costs represent a larger chunk of revenue for smaller victims.
Average breach costs for organizations with over $1 billion in revenue are $6.64 million, while smaller firms face average costs of $2.56 million.
How organizations can control cyber attack costs
While cyber attacks inevitably impose costs, organizations can take steps to reduce their potential price tag and business impact:
Implement layered security defenses
Using a defense-in-depth approach with multiple overlapping controls (firewalls, endpoint protection, access controls, encryption, etc.) helps stop many attacks before they do major damage.
Perform regular vulnerability management
Actively patch known security flaws in software, operating systems, and applications to eliminate weaknesses attackers exploit to get in.
Deploy strong email security
Given email remains the #1 attack vector, tools like email authentication and sandboxing help stop socially-engineered malware and phishing attacks.
Educate employees on cybersecurity best practices
Well-trained employees with security awareness can be the last line of defense against sophisticated attacks. Avoid clicking suspicious links or attachments.
Maintain detailed response plans and procedures
Having an incident response plan makes it fast and easy for IT teams to contain, eradicate, and recover from successful attacks.
Maintain current backups of critical systems and data
Reliable, extensive backups make restoration dramatically faster and cheaper after destructive attacks like ransomware.
Purchase adequate cyber insurance
While costly, cyber insurance can significantly offset costs of a major incident through coverage of damages, legal expenditures, investigations, customer notifications, PR efforts and more.
Conclusion
Cyber attacks impose heavy costs on organizations and consumers through business disruption, reputational damage, recovery efforts, regulatory fines, legal liabilities and more. Certain attack types like ransomware and incidents in industries like healthcare incur especially high costs due to sensitive data exposure and safety risks.
While cyber attacks will remain expensive, organizations can take proactive measures to detect intrusions faster, limit damage more effectively and restore operations more smoothly. Investing in layered security, keeping software updated, training employees, maintaining response plans, backing up data and securing cyber insurance are key steps every organization should take to minimize costs.