While governments state that cyber security is now one of their top national challenges, the overall cost-impact cyber security is incurring – both in terms of necessary investment and damaging outcomes following an attack – is far from clear.
Depending on their sources, the media and analysts quote the global cost of cyber-crime as anywhere between $100bn and $1tr annually – different reports and surveys are based on inconsistent parameters. This lack of continuity with respect to calculating the true cost-impact of cyber-attacks has, arguably, become a significant impediment to addressing the problem as effectively as the situation calls for.
If we are to tackle cyber security threats we need individuals and companies to understand the nature of the threats, and be able to assess the costs and consequences of not managing the risks. Unfortunately headline costs quoted in the media involve extrapolations from surveys and there is no commonly-agreed methodology behind the figures.
Some of the most serious cyber security breaches have probably gone unreported into the public domain, with the victims playing-down the seriousness and costs to avoid reputational damage and other collateral harm. To encourage prudent investment by individuals and organisations in cyber security awareness, skills and technology it is critical to understand the potential costs arising from a cyber-security incident, and how such incidents may arise.
So how close are we to developing a mechanism for properly assessing the financial impact of cyber-attacks?
An organisation that experiences a cyber-security breach is likely to incur the costs in three main areas: tangible, which relate to direct financial losses such as loss of stock and penalties; intangible, which relate to the value and perception of the organisation; and operational, i.e. those costs associated with handling the incident and any remedial activities.
Underpinning these three areas there are usually six main generic cost types:
- Administrative and recovery actions, including communications and business continuity activities, restoring the services or restocking and any other management activities to restore the organisation’s operations. These are effectively ‘opportunity costs’, where the organisation could have been using its resources for its day-to-day activities, but is instead compelled to divert management and staff time to addressing the fallout from the incident.
- Intellectual property losses, such as patented information, copyright material, trade secrets, customer lists, and other commercially-sensitive information.
- Penalties, which may be legal or regulatory fines (such as for data protection breaches), compensatory payments to customers (for inconvenience or consequential loss), or contractual compensation (for delays, etc).
- Property losses, which may arise from losses of stock (whether physical or digital) or failure to deliver services, or from financial theft or fraud.
- Reputation losses such as loss of goodwill, market value, reductions in share price, loss of customer or business partner confidence, etc.
- Security activities, these may include investigation of the incident, supporting law enforcement authorities in their investigation, making backed-up records available, and putting in place enhanced security measures to prevent a repeat of the incident.
This model of cost-impact tabulation extends from organisations to people who might be affected by malicious cyber activity. These individuals will face some of these costs – tangible, intangible, and operational. Tangible costs include the loss of cash or investments through fraud, with potential for fines if the incident includes loss of third-party information or property or your computer has been used for illegal activities. Intangible costs may be the loss of digital content of sentimental or archival value, or reputational damage through identity theft. On the operational costs front deficits could include associated costs and time associated with trying to recover any losses, clean-up any infections on personal computing devices, paying for legal or technical assistance, and so forth.
Now that the true cost-impact of cyber security is revealed the necessity to mitigate its deleterious effects becomes even more acute. Cyber security threats are not going away, and there are indications that their rate and complexity will increase in the coming years.
And although protective security solutions are highly effective guards against all manner of online threats, the fact is that salvation lies in greater availability of human skills. The IT security profession – in the UK and elsewhere – is increasingly realising that individuals and organisations that better understand and anticipate the potential losses that may be incurred during a cyber-security incident can make informed decisions about protecting their ICT systems.
Cyber Security Skills Alliance update
This understanding is one of the main drivers behind a new initiative – the recently formed Cyber Security Skills Alliance. The Cyber Security Skills Alliance, founded by the IET working with a range of partners from industry and academia, aims to develop and promote a series of initiatives to support the Institution’s members and others with a vested interest in information security professionalism. One of the Alliance’s primary objectives is to define a career path for cyber security professionals, with training development and qualifications that are linked through an achievable route.
The Cyber Security Skills Alliance’s next aim is to facilitate a flow of highly-skilled ICT professionals that is adequate to meet this country’s strategic needs in the fight against online threats. As a leader in many areas of technology, the UK’s research and development centres – in the academia and commercial sector – are targeted by cyber-attacks every minute of every day. Successful attacks that misappropriate valuable intellectual property can be as damaging to the national economy as direct theft of funds from breached bank accounts.
For team leaders and senior managers a sponsorship scheme of cyber security MSc courses has been developed. This scheme aims to develop the technical and leadership skills of individuals who will be responsible for securing the design and operation of an organisation’s technology-based operations – important not only for IT departments, but also for those who use computer-based control systems in all industry sectors. The sponsorship scheme allows organisations to fund staff or high-calibre potential recruits through modular or full-time cyber security courses. The Cyber Security Skills Alliance will be supporting the alumni from these courses with a range of CPD opportunities to help them maintain awareness of trends and further skills development.
As initiatives such as smart grids, intelligent transport, smart cities and machine-to-machine technologies begin to roll-out it will be become even more essential that organisation has its own in-house cyber security expertise, and that that expertise is not confined to the ICT department but extended throughout the workforce: the costs of cybercrime is not a burden that should be borne by the ICT function alone.
More information, email: CyberSecurity@theiet.org