What's the cost of a cyber attack?
It's hard to quantify the impact a breach can have on brand reputation. ComXo's Andrew Try argues it's crucial to keep the business running
When a cyber attack strikes a business, the direct restoration costs – including replacing hacked IT systems; adopting new staff training, and reclaiming lost productivity – can cost that firm up to £3m. But these are some of the easier numbers to calculate. The ‘true’ cost of an attack could in fact be much more, especially when you try to quantify the impact it has on trust and brand reputation.
At the CBI’s recent Cyber Security Conference 2018, the top theme of the day was not that cyber security is a technology issue, but that it should now be considered a business (continuity and reputation) issue.
Andrew Try, Managing Director of switchboard services provider ComXo drove home this message as part of a panel discussion – and he was not the only one to say leaders need to think differently.
The worst-case scenario
Try explained how last year ComXo’s ability to help businesses deal with a breach kicked in when a major attack was launched against one of its global clients. “The breach happening was one thing, but our handling of its switchboard ensured the business was able to keep running,” he said. “Bosses there later admitted they had no idea what ‘worst case’ really looked like. That day, they really did know what worse case was.”
On the day the breach occurred, call volumes ComXo handled spiked by 400 per cent (and were up 701 per cent that week). Officially the client's switchboard was down, but because ComXo’s overflow measures leapt into life, the business was able to keep its own clients – and employees – up to date.
With hard-fought brand reputation depending on how firms react in the immediate hours or days after an attack, the value of keeping the business going during an attack cannot arguably be calculated. According to the CBI’s own research, nearly 90 per cent of customers say appropriate data security and the protection of personal information is the key characteristic that matters to them when choosing where to spend their money.
Try believes more businesses need to wake up to the “inevitability” that an attack is now more likely to happen.
At the conference, he said: “The single biggest asset companies need to protect is brand value. Lots of IT spend goes into protection, and trying to stop attacks, but hardly any goes into simulating and preparing for when an attack actually happens.”
Fellow conference panelist, James Hatch, Director of Cyber at BAE Systems, supported this view. He said: “Risk isn’t what newspaper headlines say it is, but what matters to businesses – which is invariably customer operations, and continuation of the business.”
According to our research, it’s people, not necessarily technology that really matters when reputation is on the line – people who are there to explain and reassure customers what is going on and people who can be reached easily when disaster strikes.
Try added: “The cyber security scene tends to look at the world retrospectively. The real problem we all need to face is how do deal with an attack when one is actually going on”.
He concluded: “There is a woeful lack of interest at board level to fire-drill complete and utter worse-case scenarios – the sorts of situations where lines go down, and the plug is literally pulled”. When you could potentially lose everything, leaders need to have already thought about how to manage this, and test the situation.”
For more information on how you can help maintain business continuity during a cyber attack, visit www.comxo.com
Previous post: The questions to ask on the road to cyber security