I am always working on trying to explain how better security can save your company from headaches and certain disaster in the future. While also figuring out why people are just not paying attention to security in general.
And as they say a picture says a thousand words. So lets discuss my little pie graph.
Ok, let’s assume a company with $1mil in net sales.
The company unfortunately got hit with ransomware (let’s not discuss how)
So unfortunately several machines were hit with ransomware that house some customer data. There was no way to recover the data as this company does not have a foolproof way to recover the system data. Since the data is important the company pays $2k in ransomware “fees” to the criminals. (I had this at $6k, but reduced to be more realistic)
Since the machines were breached with customer data, an audit was required while the repair was initiated. The audit caused a fine of $20k to be assessed(or an audit was created by the various agencies). The audit now requires also notification of customers of the breach.
The out of pocket costs of engaging a PR company for the negative press release to customers and media ($15k). As one must notify the customers.
The actual cost of repairing everything and now fixing the backups for good: $15k. (could be more if data was lost)
So what started as a relatively small cost in ransomware cost of $2,000 ballooned to $52k in total costs.
So I have figured out why executives do not pay enough attention to this problem in the past.
Even with a breach(I call it ‘ransomware’) and even with a lot of other incidental costs $50k. There is still plenty of money not touched. $848,000. Of course the business does not want to spend $52k when not in budget etc. the thing is the business is still operating except for a couple of days of frantic efforts. Maybe the IT department is in better shape now, where it should have been in the first place!!@#
So even in this worst case scenario with a badly run IT department… the business is still operating, the cost is relatively minimal at 5.2%. True this is with a $1mil net sales company
So the ‘lessons’ of this occurrence can be lost on executives.
Sure some money was lost on criminals, and some reputation may have been lost, but the business moves on. As it still made $848,000.
The cybersecurity industry has been screaming the next hack will take you down for years now. So why pay attention?
Now you know the next time a new headline comes out with the latest security exploit which can take down your computer network. The Executives are yawning and moving on with everyday life.
I think the security industry needs to scream less bloody murder and more like this:
With some prevention methods like proper backups tested and more IT departmental improvements you can save yourself from money outlay of $40k for the fix, audit, and PR costs.
I know it is a different message and not as dire sounding as
“Drop everything and patch all your computers before you are attacked and hacked while losing all your data.”
I am fixvirus.com – this is my blog – TonyZ (edited 7/28)