Category : Preparedness
How much does it cost to fix a cyber attack?
Estimated reading time 4 minutes.
Wynn kindly wrote the following blog for me and goes beyond the original question, explaining the new laws coming into effect next year. You need to know this! He also gives useful advice on how to protect yourself from the attack in the first place.
The question, what is the average cost to fix a cyber-attack. Good question, but difficult to answer. It depends on the business and also depends on the type of attack used by the very organised cyber criminals these days. On average, UK SMBs suffer a cyber-attack seven million times a year, with the average hack costing them £3,000, new research has shown. (This is based on a study from mid 2016). The Federation of Small Businesses (FSB) found that SMBs are the victim of an average of four cyber-attacks every 24 months, with 66 per cent of the 1,006 organisations surveyed having been a victim of cybercrime at some point.
Taking into account the increased complexity of attack vectors being used by cybercriminals and the fact that the vast majority of cyber-attacks go unreported to the authorities, the number is much higher and will only continue to grow. Especially when one considers that the introduction of the new General Data Protection Regulations, GDPR, become compulsory as of 25th May 2018. As of that point all businesses who store any personal data of any citizen of the EU will be held responsible for the protection of the said data. This doesn’t mean just the processing of card payments, as most people mistakenly believe now, but plain old names, addresses, email addresses, telephone numbers etc…
As of May 2018, you will be held responsible for any data breach of any personal data you hold. Not only that, if you do not report any hack, you will be in even further trouble. Attacks have to be reported to the DPA, data protection authority, within 72 hours of the breach. You will also have to prove that you have taken all reasonable precautions to prevent any such attacks.
You will no longer have the excuse of; I didn’t know about the new regulations! The new regs state very clearly that it is the business owner’s responsibility to ensure that they know the laws and have made every effort to secure the data that they are responsible for, whether it is in their possession or a third-party supplier. If you attempt to feign ignorance, you will receive extra penalties.
There is currently far too much complacency around data security and cybercrime, from business owners, individuals and IT service providers alike. Many IT suppliers claim to have their client’s data security needs at the forefront of their agenda, when in reality, they do not understand the current attack vectors used by cybercriminals, and have no training or experience on how to prevent said attacks. They deliberately evade implementing even the most basic of best IT security practises, and think that installing antivirus software or a bigger firewall is doing the right thing. IT service providers are reluctant to change default configurations and installations, and restrict both their own and the clients access. They reuse passwords across multiple clients, and passwords are all too guessable to the trained hacker.
In reality, even a cheap firewall, properly configured, will prevent direct access. Good antivirus is essential, as well is security patching of operating systems and applications. But more importantly, the biggest advance in protecting a website, network or computer from attack is training of the end user and good practises. As with anything in life, there is no silver bullet for this problem, we all have to take ownership, accountability and responsibility for our actions and the data that we store.
As such, the average cost of a cyber breach will rise in the years to come. Not only will business owners be accountable for the data they store, but they will be fined for not making the best effort to protect that data by the authorities. Then there will be the litigation suits, or as the Americans call it, Class Action Suits, fired up by the long line of compensation chasers, whom are currently looking for another avenue to pursue once the PPI funds run out.