The Hidden Business Costs of a Cyberattack
Understanding the havoc cyberattacks can wreak on an association’s business is the first step to remaining proactive against them.
Lisbeth Salander, the unlikely heroine of the Millennium series by Stieg Larrson, is a hacker—and a crack one at that. In the fourth book, which was written by David Lagercrantz after Larrson’s untimely death in 2004, Salander hacks into the National Security Agency’s intranet. And without giving too much away, the pandemonium that ensues stretches from the U.S. to Sweden.
These books are some of my faves, so much so that I begged my husband—then a book reviewer—to get me an advanced copy of The Girl Who Kicked the Hornet’s Nest because I just had to know what happened next. For me, what made these books irresistible was the good writing, the gripping plots, and the strong female protagonist. Salander is a hard-as-nails punk hacker, but she’s also a quasi-altruist, similar to Disney’s version of Robin Hood. All that to say, Salander’s motives for hacking are at least somewhat pure.
Most hackers, however, don’t have such good intentions.
“If [hackers] used their skills for good—their knowledge, their abilities, the world would be in a better place,” says MaryAnn Bobrow, president of Bobrow & Associates. “And yet they use them for evil.”
Most are looking for personal information they can exploit for their purposes, including personally identifiable information, payment data, and personal health information. They might want to steal intellectual property. They also might just have a hankering to disable infrastructure or destroy data.
When I asked Bobrow whether she thought that associations were taking the risk of cyberattacks seriously enough, she replied with a definitive: “No.”
“I would say the majority of them don’t take it seriously enough,” Bobrow says. “Some of course are, but as a general rule, no. They’re not thinking about it and not factoring it in. And if you’ve never gone through [a cyberattack,] you don’t realize how all-encompassing it is.”
Deloitte, in a recently released report titled “Beneath the Surface of a Cyberattack: A Deeper Look at Business Impacts,” writes that some of the problem is trying to get boards, executive management, and technology leaders all on the same page.
“At the core of this struggle is a view that business executives and security professionals seldom speak the same language and—perhaps more important—they rarely approach cyber challenges in a way that integrates multiple competencies to create better business context and insight in their cyber strategies.”
This is especially the case in estimating the risks and the financial impacts a cyberattack poses. In effect, people don’t know what they don’t know.
The report lists 14 business impacts of a cyberattack, which can have repercussions in the days, months, and even years following a hack. Some of these business impacts might be obvious. For instance, if a cyberattack occurred, there would be costs associated with conducting a cybercrime investigation, making improvements to cybersecurity systems, and paying attorneys. But some costs might be under an association’s radar, and these could be even more monetarily devastating. These impacts might include insurance premium increases, additional public relations costs, the value of lost revenue, and the loss of intellectual property, among others.
So, what’s an association to do?
Bobrow recommends taking the time to find out more information on the risks of cyberattacks—or assembling a team that can educate you and your staff on the topic. She also suggests that associations assess where they are vulnerable to a cyberattack. Deloitte, in its own set of recommendations, makes the condition that while businesses may not be able to protect themselves against every single cyberattack eventuality, but they should invest in security measures in their highest risk areas or assets.
Bobrow also highlights the need for associations to modernize their emergency response plans. After 9/11, she says, “Everyone who didn’t have an emergency plan was scrambling to create one.” But Bobrow wonders how many associations have updated those plans since then.
“Our world is changing, our technology is changing,” she says. “There’s all these new risks being thrown at you. We have to stay on top, and we have to remain vigilant about what’s coming down the pike in order to anticipate it.”