If you or your company tend to ignore cybersecurity realities, here are some facts that will force you to revisit your attitude:
- 13.9 lakh cybersecurity incidents in India.
- 1,787 cyberattacks per week. In comparison, the global average for the same period was 983.
- 18% compared to the global average of just 7%.
Globally speaking, over 1 billion records were exposed in just the top 35 breaches and privacy abuses in 2022, per one recent Forrester report. And as the above stats show, India is not immune to cyberattacks. If anything, Indian organisations are at increased risk of all kinds of cyber incidents.
Needless to say, many of these incidents can result in huge financial damages for affected organisations. For example, if your organisation is affected by a ransomware attack, you may be forced to pay out a huge ransom to recover your locked files and data. Or if you experience an online DDoS attack, you may lose a lot of traffic from customers and other genuine parties, resulting in huge losses. If a bad actor uses one of your providers to infiltrate your networks, it will result in a supply chain attack that can also result in a financial catastrophe.
The bad news is that these are just three examples of the financial impact of cyberattacks.
But the good news is that you can avoid such attacks and their financial fallout.
The Financial Costs of a Cyberattack
According to IBM, the average cost of a single data breach in 2022 had climbed to $4.35 million, up from $4.24 million in 2021. 2021 was already a bad year for Indian firms, data breach-wise, losing a staggering ₹176 million in the year. The average breach cost in India has also gone up to ₹17.5 crore in 2022, up 6.6% in 2021. The average per record cost of a breach has also gone up from ₹5,900 in 2021 to ₹6,100 in 2022.
The average cost of a ransomware attack is lower than a data breach, but still worryingly high at $1.85 million (global figure). Similarly, the cost of credential theft has also increased, from $2.79 million in 2020 to $4.6 million in 2021. The IBM report also found that phishing was the second-most common attack vector, accounting for 16% of breaches. It was also the costliest, resulting in losses of about $4.91 million per breach on average.
But these are just the direct costs of a cyber incident. If your company is ever attacked, you may also incur all these indirect costs:
- Operational disruptions, resulting in lost business and revenue losses
- Angry customers, resulting in higher customer churn
- Higher customer retention and acquisition costs
- The loss to your reputation and market goodwill
- Falling share prices (if you are a public company)
- Higher borrowing costs because banks will trust you less
- Higher cyberinsurance costs because insurers will charge you a higher premium after an attack
- Regulatory fines, especially if you operate in an industry where you must comply with data privacy laws like GDPR
- Class-action lawsuits by customers or other parties affected by the attack on your organisation
The only way for you to avoid these costs is to strengthen your cyber defences. Weak defences will allow more threat actors to attack your company and compromise its assets. And if they are sophisticated and smart, they may even leverage the latest technologies such as generative AI and automation to launch large-scale attacks on your company.
So how can you defend your organisation from the latest cyber threats and threat actors?
Start by creating a cyber risk balance sheet.
What is a Cyber Risk Balance Sheet?
As a business owner or manager, you already know what a balance sheet is. This financial statement that contains details of your company’s assets and liabilities at a specific point in time. The chief value of a balance sheet lies in its ability to quantify two of the most important elements of your firm’s financial performance: assets and liabilities.
Like a financial balance sheet, a cyber risk balance sheet is also a data-driven document. But in this case, the data is about the cyber risks facing your organisation. It will enable you to make previously invisible cyber risks visible and understand and map the potential financial impact of these risks. Simply put, the balance sheet shows your cyber risks versus their probable impact. The World Economic Forum (WEF) calls developing a cyber risk balance sheet a “power move” that can help enterprise leaders and organisations to improve their cyber risk decision-making.
There are four key steps involving in preparing a cyber risk balance sheet:
- Select a cyber risk quantification framework like FAIR to identify the various risk factors and quantify your cyber risk.
- Identify the cyber threats relevant to your company.
- Evaluate the probability of each threat.
- Check if you already have cyber controls to mitigate these threats. Also evaluate their effectiveness.
- Map the probability of in-scope threats to cyber risks in financial terms.
The balance sheet will help you document all the cyber events that could have a material impact on the company in financial terms. It will also guide your risk-related decision-making and future cybersecurity investments that are most likely to generate a positive ROI.
Other Good Practices to Manage and Mitigate Cyber Risk
Keep in mind that a cyber risk balance sheet is only one element of an effective cybersecurity programme. For a truly cyber-resilient organisation, you must also understand the various drivers of cyber risk, including economic drivers. This is important because many enterprise initiatives aimed at driving profitability also end up increasing cyber risk. Make sure you measure cyber risk against strategic objectives, align risk management with business objectives, and define your risk appetite in financial terms to guide decision-making and risk management.
Also ensure that your organisational design supports cybersecurity. This means implementing enterprise-wise cybersecurity controls, integrating cybersecurity practices into operations and decisions, and defining key cybersecurity KPIs for risk management and reporting purposes.
It’s also important to incorporate cybersecurity expertise into board governance. Thus, company boards must oversee the cybersecurity programme, periodically audit the firm’s cybersecurity strength, and leverage the expertise of third parties (wherever appropriate) to update their own knowledge about cyber risk and recent cybersecurity incidents.
Finally, effective cybersecurity and robust cyber risk management requires participation and effort at every level of the organisation. Senior personnel such as the CISO, CTO, CIO, and CEO must collaborate with each other to analyse cyber risk and share information to update the cyber risk balance sheet. They must also work with the risk management team to prioritise the risk management effort for the organisation’s unique threats and vulnerabilities.
An org-wide effort can also go a long way to:
- Create a strong cybersecurity culture
- Lower the costs of security incidents
- Attract the right cybersecurity talent
- Select the most appropriate security tools and providers
- Leverage cybersecurity as a strategic business driver instead of as a business cost
- Make better decisions about the organisation’s cyber and financial health
Conclusion
Cyberattacks are increasing in frequency and scale so you cannot afford to stick your head in the sand. Protect your organisation by creating a cyber risk balance sheet and implementing the practices highlighted in this article. You can also manage and mitigate the most serious cyber risks affecting your organisation with the help of technology.
