What are the typical costs to a business from a cyber-attack?

While the impacts of a cyberattack will be felt differently by small and large businesses, the damage caused by a breach can create a significant dent in a business’s bottom line, no matter its size.

Тhe average security breach on a small business will cost about US$75,000. The amount includes the costs of downtime, lost business opportunities and the services the company will need to hire to mitigate the cybersecurity breach. Small businesses pay, on average, about $15,000 in professional services, including the hiring of IT security and risk management consultants, lawyers, auditors, accountants and public relations consultants.

The impact is even more costly to larger businesses, where the average cybersecurity breach costs about $1,000,000.

Evaluating the “Hidden” Costs of a Cyber Attack

Common perceptions, however, are mostly shaped by what companies are required to report publicly, such as the theft of personally identifiable information (PII), payment data, and personal health information (PHI). Costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. Today, the industry is converging on a “cost per record” calculation for consumer data breaches.

Cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure are rarely brought into view. These attacks can have a more significant impact and lead to additional costs that are more difficult to quantify.

Given the impact and prevalence of cybersecurity breaches, executives must be aware of direct impact costs to their businesses and the number of hidden costs associated with a cybersecurity breach:

  • Insurance premium increases
  • Increased borrowing costs
  • Operational disruptions or destruction
  • Customer relationship losses
  • Value of lost contract revenue
  • Devaluation of the trade name
  • Loss of intellectual property

Cyber Attacks Cause More Than Just Financial Pain

A business’s success depends heavily on its reputation and perception in the marketplace and the value it delivers in the long-term. Cyber-attacks cause damage that cuts deeper than dollars and cents: mitigating an attack’s impact requires a focus on managing risks and vulnerability to cyber attackers to ensure your business’ reputation remains intact.

There are many ways a cyberattack can affect – and cost – an organization, and the impacts will vary depending on the nature and severity of the event. And no business is immune.

Navigating cybersecurity challenges in a new remote working era

The Covid-19 pandemic has affected businesses worldwide, leading many to adopt remote mass working almost overnight. While some organizations were well-prepared for this shift, many had only experienced a small percentage of their staff work remotely at any time before. Recent Leesman research of over 700,000 employees worldwide found that 52 percent have little to no experience working from home, and even of those who do, 83 percent typically do so for just one day a week or less. As lockdowns ease and economies slowly begin to kickstart again, businesses are now looking at options for returning staff to the office safely, and the question on many people’s lips is whether remote working is here to stay?

The answer to that question is not a straightforward one. There are several factors that businesses need to take into account to ensure successful future remote working. Unsurprisingly the dramatic shift that companies of all sizes have been confronted with has resulted in a host of challenges for IT teams. A significant issue has been and continues to be around security, with issues arising around data access control, VPN security, and fast changes to infrastructure. The challenge is a two-pronged one that involves managing existing threats, which are now intensified by a far-reaching shift to remote working and protecting employees and systems from an increased cyber threat as cybercriminals look to exploit the magnified uncertainty caused by the pandemic.

It’s vital that businesses tackle these security-related issues now, not only to navigate the current landscape efficiently but also to future-proof their organization for what will undoubtedly become a lasting change to the way we work in the longer-term.

The lack of preparedness that is clear amongst most organizations may leave them unprotected in several areas. First and foremost is from a device management perspective given the newly created end-point network that is significantly dispersed. Businesses that have not heeded security experts’ calls in recent years and have not implemented multi-factor authentication capabilities will be vulnerable to brute force tactics such as password reuse attacks. More critically, an outdated mentality that sees security as ‘behind the firewall, or not’ will result in insufficient controls for managing the unprecedented blend of BYOD and managed devices that make up a remote workforce.

A multi-pronged approach

There are several steps that companies should consider to reduce the potential threat, and a multi-pronged approach is the best strategy. IT teams should ensure that comprehensive monitoring tools are put into place, given that home networks are now essentially an extension of the office. They should also offer staff ongoing training and advice concerning securing their home networks. This new environment has put some cybersecurity in the hands of remote employees, so they need to be prepared to protect themselves and the organization.

Further to this, security needs to be extended to the device level. This means utilizing both hardware-based tools and enabling software updates that can be easily implemented and scaled across all end-points. For example, Ubuntu Desktop allows users to facilitate unattended-upgrades and Livepatch to protect end-points from emerging threats without IT intervention. Using a corporate proxy server or VPN can also help to protect and monitor the newly extended network. Simultaneously, users can also enable low-cost DNS filtering services like OpenDNS to prevent access to harmful sites.

VPNs: increased security not without risk

VPNs have unsurprisingly seen increased popularity in the current climate as they offer secure remote access for employees. According to a recent report, since March, the UK has experienced a 48 percent increase in business VPNs, while globally, this has increased by an astonishing 165%. Beyond standard functionalities such as authenticating users and providing layered access control, VPNs can be configured to use full tunneling for more substantial enterprise protection. Examples of this include the ability to harness corporate network filtering such as Intrusion Detection and Protection Systems (IDS/IPS), in addition to other situational awareness protocols like NetFlow to collect and analyze network traffic. However, with such an increase in VPN deployment and in such a short space of time as we’ve seen in recent months, there is more chance of an error occurring during network segmentation, which could unexpectedly expose company resources to a broader scope than anticipated.

Considerations for the cloud

Ongoing adoption of cloud-based products and services also poses a further area for concern about security., Businesses making this shift to the cloud need to deliberate on how they secure their services and data. Many assume that the cloud provider manages this for them, which is not necessarily the case and depends on the service. With this in mind, the same due diligence is needed when choosing a cloud platform as they would use when deploying their infrastructure. Alternatively, companies can turn to a managed services approach, ensuring the underlying complexities of their cloud infrastructure and applications – in terms of maintenance, security and scalability – are run by a trusted partner, which means their IT teams can focus on other primacies, especially during these unprecedented times.

Ultimately, an after-effect of this pandemic will be that it illustrates a potential new future world of work, a future where remote working is the norm and people and organizations can continue working effectively, regardless of their location. Even for those who were perhaps reluctant to adopt a remote strategy before, these unprecedented times have shown that homeworking can be a successful part of their more comprehensive business strategy. As remote working becomes universal, the explosion of cloud resources and VPN services will continue, and new access control measures will be needed. For IT teams, this poses new associated security risks to overcome to navigate the now and the future of their business longer-term.

Essential practical cybersecurity tips for businesses and employees during Covid-19

From a business viewpoint, the global coronavirus pandemic has left many scrambling to find a way to ensure business continuity in a time of unparalleled uncertainty. We know the government has encouraged home working, but due to the swiftness in which everything changed due to the widespread lockdown, cybersecurity may have been forgotten or even overlooked. If left ignored, this could have severe consequences for both your business and your employees. To avoid such predicaments and keep your cybersecurity exposure to a minimum, here are some practical tips to ensure your business and employees are kept secure while working from home over the coming weeks and months.

Tip 1: Be mindful when conference calling

With remote working seemingly the norm for a substantial amount of the population, conferencing calling services like Microsoft Teams, Zoom and Skype are among the leading sites that are heavily utilized to conduct work-related duties and communicate with colleagues and customers. However, with vast amounts of data being shared across these channels, users must be wary that they do not share too much, significantly, if it inadvertently breaches privacy or security. Given the dependence on this form of communication, Zoom attacks have surged of late.

To avoid being embroiled in a breach of GDPR, it is imperative to ensure that the unique conference link is only shared with those necessary when using one of these services. Widely exposing this link can allow anyone to enter the meeting and potentially spy in on a private conversation, leave inappropriate messages or even steal data from this channel. To be extra secure, when creating an online-meeting or virtual room, ensure the invitation settings are made private and carry-out an attendance check before commencing.

Tip 2: Security threats are mounting, so ensure the software is up to date

Hackers have shown no signs of remorse, given that many have been affected by Covid-19, and so businesses must remain on high alert as there is now an even greater dependence on software to support the workforce. This includes monitoring for updates and security checks on software, websites and applications used because any unpatched vulnerabilities could lead to a catastrophic data breach. Our recent threat intelligence research into CVEs flagged ‘CVE-2019-11510 Pulse Secure Authentication Bypass Vulnerability’ with a high likelihood of being exploited, which, if left unpatched, is an open pathway for hackers through the Pulse VPN used by many companies during the pandemic. Therefore, this critical flaw should be fast-tracked for patching. It could be a way for a hacker to retrieve access to business systems, potentially exploiting critical information, including passwords or other sensitive data.

Recently, cyber-attackers have shifted their aim to exploit vulnerabilities within the operating software regularly used by businesses today, including Microsoft 365 and WordPress, which are most vulnerable during working hours. Therefore, it is advised to conduct regular and, if possible, continuous vulnerability assessments on all systems and software to guarantee that no patches are missed or, at a minimum, the most severe are prioritized.

Tip 3: Shadow IT and cloud data leaks on the rise

As more staff than ever working remotely, it’s unsurprising that shadow IT is on the rise. While businesses try to maintain operation, workloads have shifted to the cloud, creating security shortcomings. A lack of cloud governance in the new ways of working could spell security disaster in the long term. Cloud environments are notoriously easy/cheap to set up but hard to secure/monitor due to the dynamic nature. If left unchecked, these issues could lead to security challenges, including misconfigurations (the most common reason for data leakage), compliance and data sovereignty issues. Therefore, it’s more critical than ever to continue practicing the same security fundamentals as before and extending to the cloud and multi-cloud, ensuring you’re not left vulnerable to security flaws that could come back and haunt you later and take a large amount of budget and resource to fix.

To combat shadow IT issues without adding security burden, automate cloud security assessments to identify and monitor any system flaws, including misconfigurations and workload vulnerabilities, and ensure your tools provide a single view of your critical assets and their security posture are across multi-cloud.

Tip 4: Avoiding employees being targeted while at home

As employees adjust to working from the comfort of their own home, security awareness may be relaxed or even forgotten. Cybercriminals are counting on as there has been an uptick in the number of phishing threats now seen. Cybercriminals are quick to change and tailor their attack methods to align with a specific event, holiday, political situation and, in this case, the coronavirus, so it is vital to remain wary of any tell-tale signs of malicious activity.

We recently identified several security vulnerabilities that could put homeworkers at risk. Home routers Netgear and Apple devices include vulnerabilities caused by outdated software, and limited authentication are ones to watch. While your employees can remain security-aware through training and internal policies, it’s important to alert them to potential threats posed by at home working and ensuring staff know to update the software on their vulnerable devices. Routers should be sufficiently checked, authenticated and verified to ensure catastrophic man in the middle attacks don’t happen.

During this uncertain time, following security fundamentals and best practices should not be overlooked when maintaining healthy security hygiene. Cybercriminals will try to exploit any sign of weakness within business infrastructure, whether through technology or by exploiting the human element. During this period and from now on, security cannot be overlooked, especially when employees and customers count on businesses to do the best for them.

Remain vigilant, have security in mind, and if it’s a necessity, reach out and outsource any security to a specialist – we don’t want you or your business to get caught out!

First steps should your business be taking to protect itself?

Review your policies and procedures

There are numerous HR policies that your business can implement to ensure a smooth and secure home working. While you are not under strict legal requirements to implement these, it is best practice and can help you streamline your processes.

Working from the home policy can set out your staff’s expectations while working from home, including data security and confidentiality. To comply with your data protection obligations it is likely to be appropriate for you to have a separate data protection policy setting out what duties your staff are under when handling personal data, including ensuring that it is processed securely at all times.

An IT security policy can include requirements regarding passwords, the physical security of devices and protocol around installing software. Suppose you already have an IT security policy. In that case, you should review it to make sure it is fit for purpose and strongly recommends using two-factor authentication wherever possible.

If you allow staff to use their devices while working from home, consider a BYOD (bring your device) policy to address the additional security risks that will arise. For instance, this will help you ensure that appropriate security measures are taken when handling sensitive information, including any third-party data, on personal devices.

It will also be beneficial to have a personal data breach policy setting out your business’s response plan if a data breach occurs following a cyberattack.


Check your remote working systems

If your business is accustomed to having staff work remotely, check that all of your remote working systems are updated with the most recent security patches and firewalls. If working from home is new for your business, take the time to ensure that the systems you set up are fit for purpose and that you have applied appropriate and up-to-date security functions. For example, ensure that virtual meetings are private and require password entry.


Secure your devices

Make sure you take steps to secure devices while they are outside the workplace. For example, ensure encryption is turned on and that you can remotely lock devices and erase or retrieve data stored on them if they are misplaced or stolen.

If staff are using their own devices to work on, make sure they know how to save work remotely and not locally on their device, check that their antivirus software is installed and fully updated and remind staff to ensure the physical security of their work, for example by locking their screens when they are not working.



Make sure your employees are backing up their work regularly. Any back-ups should also have strict security measures; for example, access should be restricted to certain people within your organization and should be kept separate from the original copy (e.g., using a cloud service). If your necessary data is backed up, you won’t lose it if devices are lost or stolen, and you can protect your business from ransomware attacks (which make your system or data unavailable until you pay a ransom).


Train your staff

Individuals are a crucial target of cyber-crime so remind your staff to be alert and make sure they are aware of the risks to look out for. This may require you to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of Covid-19 cyber-crime.

Ensure your staff know what to do and whom to report to if they identify a cyberattack or think there might have been a data breach. Not only might an attack put your business under threat, but it might create legal obligations for you under data protection law.


Provide IT support

Your staff may be working from home, but they’re still likely to need IT support access. Check whether your normal support will continue while staff are working remotely, and make sure you update staff if there are any changes. If support is readily available, IT vulnerabilities are more likely to be flagged quickly.


Remember GDPR!

Any data that your business handles that contains personal information will trigger data protection law, and you must remember your data protection obligations at all times.

Suppose there has been a personal data breach due to a cyberattack (i.e. a breach leading to the destruction, loss, alteration, unauthorized disclosure of or access to personal data). That breach carries some risk to individuals. In that case, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of you becoming aware of the breach. You may also need to notify affected individuals. Even if you do not need to report the ICO (because you don’t think there is a risk to individuals), you should still keep a written record.

These legal obligations serve as a reminder of the importance of businesses having effective cybersecurity policies and procedures to ensure that they can protect their business from attack and comply with their legal obligations if and when an attack does occur.


Report any breaches

If you think that your business has been the victim of cybercrime, you should report this through the Action Fraud Websites.

Cybersecurity measures businesses should be taking during Covid-19

As the world remains in lockdown amid the Covid-19 pandemic, the National Crime Agencies have identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information.

While much of the malicious cyber-activity that has been identified is targeted at vulnerable individuals and organizations involved in the pandemic response (such as healthcare organizations), businesses should not rest on their laurels. Not only might staff members be targeted, thereby putting business systems and information at risk, but remote working systems are also vulnerable to attack.

Attacks that compromise your business’s systems could ultimately lead to the loss of sensitive information, fraudulent activity or personal data breaches, which could have severe financial and legal implications for your business.

To help, we’ve taken a look at how your business can keep ahead of the curve by identifying and addressing any potential cyber-vulnerabilities.

What should businesses be looking out for?

Read more