Natural disasters caused by extreme weather conditions, particularly hurricanes and typhoons, are becoming more devastating than ever. But while the World Economic Forum has tagged extreme weather events and natural disasters respectively as the top two global risks most likely to occur, a purely man-made risk isn’t far behind. Number three on that list is cybersecurity attacks.
But just how destructive are cybersecurity attacks compared to the other two? Let’s find out. In this post, we compare virtual disasters (i.e. data breaches and other cyber incidents) with physical disasters (caused by extreme weather events and natural disasters) in terms of cost, business downtime, chances of forcing businesses to close shop, and several other factors.
Individually, the cost of physical disasters is still much larger than those of virtual disasters. For example, hurricanes Katrina and Harvey cost approximately $125 billion each, and the earthquake and tsunami that struck Japan in 2011 (which in turn caused the Fukishima nuclear plant meltdown) cost about $360 billion.
In comparison, here are some of the most expensive cybersecurity attacks in history and their corresponding costs:
- MyDoom – $38.7 Billion
- SoBig – $37.1 Billion
- ILOVEYou – $15 Billion
- WannaCry – $4 Billion
Equifax data breach – $4 billion (this was the stock market value it lost a week after the consumer credit reporting agency reported it was hacked)
The most expensive attack is just a little over 10% of the most expensive natural disaster. However, it appears that virtual disasters happen more frequently. Let me elaborate.
The total cost of a data breach is currently estimated to be at $3.86 million. Also, the global average cost of cyber crime (per company) over 5 years is estimated to be at $11.7 million. While the lack of data as well as contradicting methodologies make it hard to obtain the total cost of cybercrime, a recent attempt to model the global (total) cost of cybercrime pegs it at around $600 billion.
Compare that to last year (2017), the global cost of natural disasters was $306 billion. Of course, almost all these major natural disasters cost human lives, so if you factor that in, physical disasters can certainly be more devastating.
However, it’s worth noting that WannaCry and a few other recent ransomware attacks have been targeting hospitals and, in the case of WannaCry, managed to disrupt and hinder several medical procedures. Although not yet nearly as catastrophic as major natural disasters, virtual disasters have now undoubtedly gained the capacity to threaten human lives as well.
To make matters worse, companies who suffer from a data breach can suffer even more losses through regulatory fines. This is in stark contrast to what happens to some businesses after getting hit by a natural disaster – some receive public/government aid.
Just as there’s no arguing we’re in the midst of significant climate change and that physical disasters caused by extreme weather events will likely keep getting worse and more frequent, so it is that we’re now in a continually growing cyber age and that our hyper-dependence on interconnectivity, applications, and data will only continue to draw more destructive cybersecurity attacks.
Small businesses downtime
Virtual and physical disasters have a few other similarities. One is that small businesses can suffer multiple days of complete downtime when subjected to either type of event.
For example, torrential rain and flooding like the one that inundated some counties in New Jersey last August or Hurricane Harvey that wreaked havoc in Houston last year can force small businesses to close temporarily. Floods can shutter small businesses for weeks, as people focus on 1) keeping their goods and themselves above water and then, 2) once the water subsides, cleaning up mud and debris.
Similarly, malware outbreaks, like the ransomware attack that temporarily shut down SF Muni (San Francisco’s public transit) ticket terminals two years ago, can leave affected businesses incomeless for a day or more.
Small business complete closure
Because of their limited resources and because they can be easily overwhelmed by the sheer magnitude of a major disaster (whether virtual or physical), some small businesses might even be forced to close shop permanently. It’s easier to imagine that happening in the aftermath of a catastrophic earthquake, tsunami, or hurricane. But can cybersecurity attacks really do that, too?
It turns out they can, especially if the attack happens to strike a business highly dependent on digital assets. That’s exactly what happened to a small online retailer in the Midwest after 15,000 of its accounting and customer files got encrypted by ransomware. The company didn’t have the affected files backed up, and the decryption key failed to work even after they paid the $50,000 ransom. That company closed shop six months later after sales plunged.
Large enterprise downtime
Large enterprises, on the other hand, are usually more resilient to either type. And because physical disasters are mostly localized, large enterprises (particularly those that operate nationally or globally) are less likely to suffer complete downtime because their offices in other geographical locations can continue to operate.
You can’t say the same thing for cybersecurity attacks, especially with those that involve rapidly propagating malware like WannaCry or Petya. Malware with wormlike properties can spread to virtually any network connected to the currently infected one. Meaning, these types of attacks can still cause company-wide disruptions to large enterprises whose geographically dispersed offices are nevertheless interconnected through an intranet.
A prime example of this is the NHS attack last year, which took down 16 hospitals throughout the U.K., due to WannaCry. To mitigate any further damage, the hospitals shut down all computer systems and cancelled all non-urgent activity – rejecting patients until their systems were brought back online.
These two types of disasters also differ in the level of reputational damage they bestow on a company. In fact, in some cases, a natural disaster can even inspire customers to rally behind a brand. While the exact opposite happens after a data breach, which usually causes customers to lose confidence in the brand and consequently increase customer churn.
Preparation and remediation
Both virtual and physical disasters can force businesses to suffer substantial losses. As such, they need to be met with proper planning for effective business continuity and disaster recovery (BC/DR).
Preparation and risk mitigation
Basic considerations are more clearly defined and constant when you prepare for a physical disaster. Your geographic location alone will already tell you what the threats are. For instance, if you operate in a hurricane zone, then you’ll obviously need to prepare for floods and torrential rains. Or if you’re in in the Ring of Fire, then you likely need to prepare for earthquakes and volcanic eruptions.
Unfortunately, you don’t have that same luxury of being able to identify threats that are most likely to strike when it comes to virtual disasters. Not only are there a variety of cyber threats, these types of threats are also constantly evolving. So, your preventive and recovery plans need to be updated regularly.
Another advantage of preparing for a physical disaster is that it’s much easier to solicit employee cooperation. That’s because they’ve most likely already experienced the impact of the threat sometime in the past. The same doesn’t hold true for virtual disasters, where, even if a cyber threat is already right in front of them (e.g. a phishing email has been detected), employees can still find it hard to fathom its impact.
The presence of a geographically separate BC/DR site is important in dealing with both physical and virtual disasters. If floods inundate your production site, you can continue to operate if you have a BC/DR site in another location. Similarly, if a DDoS attack or ransomware outbreak cripples your main data center, you might still be able to operate if you have copies of your data and services in a geographically separate DR site.
The human element
A lot of virtual disasters, like malware outbreaks and data leaks, are caused by a user’s poor judgement or careless practices. Because of this human element, many of these virtual disasters can be avoided by arming employees with ample security education and training. You can’t use that strategy against physical disasters. While you can mitigate the impact of a physical disaster (e.g. by doing earthquake or fire drills), you really can’t do anything to prevent it from happening.
Cleanup and remediation
Cleanup and remediation activities following a natural disaster is usually straightforward and well defined. Assuming the disaster doesn’t totally wipe out your business and assuming basic services like power and water are available, you would probably be back in business in a few days.
Cyberattacks, on the other hand, are more complex. First, the attack or data breach might go undetected for 100 days or more. Then, once it does get detected, remediation might take another 60-70 days with traditional security companies (unlike Armor who has an average dwell time of less than a day).
Gone are the days when an organization’s preparation and disaster recovery plans had to focus primarily on natural disasters. Cybersecurity attacks are fast becoming a serious and imminent threat. As such, you should not only factor it into your BC/DR plans but also treat it as one of your top priorities.