The post mortems about the widespread WannaCry ransomware attack in May have tended to overlook the most common consequences of cyber-attacks – the damage to the share price. Bad as it can be, it is compounded by customer uncertainty regarding the safety of personal data and increased concern along the supply chain – all exacerbating a loss of shareholder confidence and leading to loss of revenue.
While the criminals behind WannaCry only wanted a few hundred bitcoin, such well-publicised breaches can cost a business infinitely more through their effect on investor and indeed consumer confidence.
A report from Oxford Economics in April (before WannaCry) calculated that around the world, cyber-attacks have cost investors £42 billion in total, with FTSE 100 companies having to bear the burden of an average of £120 million costs for each criminal success.
The researchers analysed 65 of most serious cyber security breaches since 2013 and found that a firm’s share price suffered an average 1.8 per cent drop from which it did not recover. Some companies saw a crash in valuation of as much as 15 per cent. The figures were arrived at through careful analysis of post-attack performance when measured against a control group that had managed to avoid being breached.
There is nothing new in saying cyber criminality represents a huge threat to the reputation of a company. The Oxford Economics Report does however, give us some hard evidence of the effect on investor confidence.
Business wakes up as costs mount
Of course any company breached by cyber criminals faces the multiple costs of remediation, the installation of new defences and quite possibly, compensation claims.
The seriousness of the threats prompted a long discussion on the topic at the World Economic Forum earlier this year where many agreed it was the biggest challenge facing the world’s technology industries. Others warned that fear of data breaches is causing organisations to hold off investment in technology that they need for their growth.
Not surprising then that Chief Information Security Officers (CISOs) are under pressure to be innovative and to find new, but cost-effective, solutions.
There remains, however, the strong suspicion that boards do not always listen or are still not fully aware of what is required to combat cyber threats effectively. The rapid growth of cyber insurance policies is a sign of defeatism in which corporations almost expect to be breached. The insurance covers only the tip of the iceberg in terms of the loss. While the immediate cost of clean-up and remediation is covered, the long term customer confidence is not factored in. This will be especially worrying when EU GDPR regulations come into force in 2018 and the story of a breach is played out in the European courts and media.
This is not the way forward if companies want to protect their value. Boards need to realise that a data breach or ransomware attack is not inevitable. Sadly, many CISOs are struggling to get the message across. A survey of IT and business leaders in 20 countries by the consultancy Control Risks found that less than half do not believe their boards are capable of managing cyber threats effectively.
Innovation protects value
It is imperative now that everyone in a senior position understands that constantly-evolving threats require innovation, rather than just post-infection sticking plasters. Criminals have moved on from signature-based threats and are now altering the structure of common file-types. This is a mechanism for defeating existing security and anti-virus solutions in order to breach an organisation’s defences.
When faced with well-resourced criminals and covert, state-backed hacking groups, legitimate businesses cannot afford to fall behind in the race to innovate and need to reassess their level of skill and motivation.
Most fundamental of all, CISOs have to make their boards understand that traditional signature-based anti-virus security is no longer a safeguard. They must make the case for investment in real innovation.
With more than 90 per cent of successful breaches beginning with malicious code hidden in email attachments, it is time senior executives got to grips with technologies such as file-regeneration. This keeps threats locked outside the organisation, thanks to its ability to match the common file-types we use in attachments against manufacturers’ standards. In less than a second it rebuilds them as clean versions before allowing them into the business in line with risk policy.
Besides blocking out all threats – known and evolving – one of the great benefits of file-regeneration is that it puts organisations back in control. This is the kind of innovative technology that major businesses need to deploy if they are to prevent criminals from taking huge terabyte-sized chunks out of share prices.