The web site is now storing only essential cookies on your computer. If you don't allow cookies, you may not be able to use certain features of the web site including but not limited to: log in, buy products, see personalized content, switch between site cultures. It is recommended that you allow all cookies.

Counting the Costs of Cybercrime. What Is the Impact of Cybercrime on My Company?

Counting the Costs of Cybercrime. What Is the Impact of Cybercrime on My Company?

David Cohen

A cyber-attack can cause enormous damage to your organisation:
 
Financial: A cyber-attack can lead to direct financial losses, for example, a phishing attack that leads to money being transferred to the hacker. There are also indirect financial losses when trying to resolve the incident as quickly as possible and also due to the potential loss of customers.
 
Operational: A cyber-attack can disrupt computer systems to the extent that they can no longer support daily business operations. This disruption will, of course, also have financial consequences.
 
Reputation: A cyber incident negatively impacts the company and can damage a reputation that has been built over years in the blink of an eye. Reputational damage will eventually lead to financial losses due to a direct impact on turnover and the additional costs incurred in rebuilding the reputation after the incident.
 
What can happen?
 
The damage caused by a cyber incident can be reduced to the acronym CIA (Confidentiality, Integrity, Availability):
 
Confidentiality: Data confidentiality can be impaired and sensitive information can fall into the wrong hands or into the public domain.
 
Integrity: The integrity of data can be harmed due to intentional and unintentional incidents. Unauthorised modification of data can occur making it unusable or lead to errors.
 
Availability: The availability of systems and information can be compromised. Systems can go down and remain unavailable for an extended period and disrupt business operations.

To estimate the potential impact on your own organisation, you need to ask yourself what the most critical IT assets of the organisation are, and what can happen to them as a result of a cyber incident.
 
A couple of examples:
 

  • In a hospital, the medical patient file is the most critical asset. If unauthorised persons gain access to this information, then patients could suffer considerable harm. Consider, for example, the medical file of a well-known person that is leaked to the press.
  • In a technology company (e.g., biotech or IT), the principal asset is often its intellectual property (IP). If this was to be stolen, the company's entire competitive advantage could be lost. In this way, many business secrets have already ended up in the wrong hands.
  • In a production company, the production systems are often the most critical, while in a logistics company it is the logistics systems. If these systems go down, it can lead to interruptions in the production lines and in supply chain.
  • In a retail or B2C company, consumer information is critical, even more so when consumer profiling behaviour is performed or when payment data is stored.

 
These are the principal IT assets (systems and information) that need to be secured to avoid incidents. And when incidents do happen, good recovery plans and incident response procedures need to be in place to reduce the impact. IT is often not fully aware of which systems are the most critical from the business point of view. This exercise should therefore be carried out jointly by business and IT.
 
In the next article, David Cohen will look at the types of cybercrime and how they are perpetrated.