As a leader, you need to prioritize your company’s resources. The question of how much it makes sense to spend on cybersecurity can arise, and it can seem very difficult to find answers. Trying to find an answer to the key question – what should cybersecurity cost? – is often surprisingly difficult.
Will it help us if we set aside €2500 next year to reduce the cybersecurity problem, or will this be a waste of money? Let’s say you run a construction business with 5 employees. You have a turnover of 1 million Euros a year. Can computer crime affect you, and how much could it possibly cost?
The construction company Kanonbra Snekring AS uses a cloud-based accounting program where both they and an accountant have access. In addition, they use e-mail to communicate with customers and receive orders, and to organize the work between them. In order to be able to assess how large the expected cost this company will be of a computer attack, we must first look at what events are likely to occur, and then assess the cost of the events, and how likely it is that they will occur. Work drawings and project documentation are also processed in the computer system and sent out to the work teams that use a tablet for drawings and the like.
- Criminals gain access to the accounting system and change the account number on the outgoing invoice to their own
- Criminals send fake invoices to Kanonbra Snekring which are then paid
- They are exposed to ransomware, which makes drawings and project documents inaccessible, and they are coerced to pay the ransom.
- Criminals hack the company’s email accounts and use the access to send fraudulent emails to other companies, including customers
According to the Norwegian cybersecurity survey “Mørketallsundersøkelsen”, 14% of companies in Norway say that they have experienced safety incidents with negative consequences for the company during the past year. There is reason to believe that many are not even able to detect this and confirm the cause, but it is not unreasonable to assume that this can apply to as many as 25% of companies.
Costs of a hacked accounting program: €24,400
Imagine that the accountant of Kanonbra Snekring receives a phishing email with an attachment in Word format. This turns out to be a contract proposal from an existing customer, which they want help to consider. The case is sensitive, and they are asking the accountant to “enable active content” to turn on security functionality that allows reading of the document. Then it’s done: a macro downloads malicious software, which allows criminals to take control of the computer of the accountant, who himself does not notice any of this. When he pressed the button to activate the content, he got to read a standard contract that makes sense for the company it seems to come from. What he does not know is that criminals have now entered a so-called keyloggeron the machine that picks up all keystrokes and sends them to the web.
This way, the criminals obtained the password to the cloud-based accounting solution, and changed the account number on the outgoing invoice to many customers by the accountant. That month, Kanonbra Snekring’s customers were tricked into paying €17,800 to criminals, while nothing came into the construction company’s account. What is the real cost of such an event? If we know that, we can perhaps also better understand – what should cyber security cost?
Costs associated with a computer attack can be divided into four main categories:
- Costs of dealing with the incident and restoring the systems again afterwards.
- Costs associated with direct and indirect financial losses.
- Costs to cover liability if others are injured, or to cover fines and the like if applicable
- Costs of upgrading security afterwards to ensure that the same incident does not happen again
Let us consider the total cost of the invoice event.
|Cost type||Cost elements|
|Event management||Review and investigate what led to the invoice being sent incorrectly: 16 working hours internally, 8 for the accountant, 8 hours in meetings.|
32 hours x EUR 50 / hour = EUR 1,600
|Financial losses||First, we do not get paid in money this month, a loss of 17,800 kroner. In addition, we notice a decrease in requests for work, which we decide to place a full-page ad in the local newspaper to counteract, as well as set up a monthly advertising campaign on Facebook. The cost of this will be about €2000.|
Estimated financial loss: NOK 19,800.
|Liability coverage||Here, the data breach was due to an incident with the accountant, so it is unlikely that Kanonbra Snekring will be held directly responsible here. No cost included.|
|Upgrading security||As part of the investigation, we hire an IT consultant for 3 days, which costs 3,000 Euros. The consultant makes recommendations for safety measures that will cost us up to 12,500 a year if we introduce them, but we are waiting to make that decision.|
Consultant cost: EUR 3,000
Total cost of the event directly: EUR 24,400.
How likely is such a scenario?
To assess whether it makes sense to set aside money for better security, we must also know something about how likely such an event is. Around 25% of Norwegian companies suffer annual losses due to security incidents. There are fewer small companies reporting this than larger ones, so we can perhaps assume that the probability of financial losses due to data attacks in a small company is about 15%. You need some background knowledge about cyberattacks to assess likelihoods, and a strategic threat intelligence service is a good source of such information.
According to the survey mentioned above, financial losses as a result of data security incidents average €8,500, but the spread is large, with the highest value mentioned being €500k. If we conservatively calculate an expected value of more than approximately €24,000, the expected annual loss will be €3,600.
Taking the variance into account is important when planning cybersecurity investments. Many incidents are not very costly, but some are very expensive and could threaten the existence of the company. It all comes down to what our risk appetite is. What should cybersecurity cost is not only a question of averages, it is also about deciding how much cost volatility you can absorb.
The IT consultant’s advice
The IT consultant Kanonbra Snekring hired in, found out that neither the carpentry company nor the accountant had any routines in place for data security. Here are the recommendations from the consultant:
- Make sure all software is updated as soon as possible. The consultant can offer to take care of a workload of about 1 day per month, at an annual cost of €10,000. The consultant estimates that this reduces the risk by 15%
- Make a list of critical software and data and set stronger security requirements for such software. They should have at least two-factor authentication and logs that show when which users have logged in. This should take about 5 hours per year and can be done by the general manager. Cost 5 x €50 = €250. The consultant estimates that this reduces the risk by 20%.
- Give all employees good safety training, the consultant recommends Cybehave’s role-based program at €1,200 a year. The consultant estimates that this reduces the risk by 15%
- The consultant recommends that only pre-approved programs be run on computers, and that users not be able to install software themselves. The consultant can set this up for 4 hours at a cost of 500 Euros. The consultant estimates that this measure will reduce the total risk by 10%.
- The consultant recommends that you take out a cyber insurance that will cover costs for incident handling, liability and lost sales, so that the consequences are not so serious if the accident occurs. The annual cost of this is about 500 Euros.
Simple measures together with insurance can provide cost-effective protection.
Kanonbra Snekring considers proposal 1 to be too expensive, and rather goes to check that all computers are set to automatically update software. They choose to introduce the other measures, at a total cost of €2450. The insurance alone reduces the costs we have to cover for the invoice event for marketing (2,000) and direct consulting assistance (3,000). The risk reduction from measures 2-4 amounts to approximately 39%, so that the expected loss is then down to 5,000 x 0.15 x 0.61 = €457,5.
We have concentrated on averages in this blog post when trying to find an answer to the question “what should security cost?” – and we may be willing to invest more in security if we consider the expected lifetime of our company instead of just the expected annual cost. That said, based on an annual expected cost assessment, we arrive at the conclusion that spending money on security will on average lower our costs related to security incidents.
With the cost of the measures, the annual cost of cyber security will then be 2,658, an estimated saving on average per year of €942,50.– Builder Anderson, chief carpenter and security officer at Kanonbra Snekring AS