Of the many risks that businesses must face, it is now probable that cyber poses the greatest risk for any business – across the globe and across all sectors. Hardly a day passes without another high profile, global business, hitting the headlines with the latest report of a cyberattack, and these incidents are costly. RMS recently estimated that the losses for the Marriott International incident could reach in excess of US$250 million, in an attack that impacted half a billion customers.
Managing the impact of a cyberattack is a complex, lengthy process, and losses occur from a long list of sources. These range from the immediate costs of securing or replacing IT systems, the direct losses occurred by customers or suppliers, all the way through to the “long-tail” losses of litigation such as customer class actions. Perhaps most damaging of all is the loss of reputation as customers feel cheated and violated as their personal details are stolen and sold. Businesses have to try and win back the trust of their customers who may never return.
I invite you to read an excerpt from Solving Cyber Risk, a new book jointly written by Andrew Coburn, Éireann Leverett, and Gordon Woo, which illustrates the origins and the mechanics of an attack, as well as its impact, by examining the Target cyberattack in 2013. The story of the Rescator cyber-hacker team, the perpetrators of a data-theft involving 110 million payment card details from Target customers, is as worthy as any Ocean’s 11 casino-heist. Reading the story, it is hard not to acknowledge the proficiency of this small team of hackers. They identified the vulnerabilities, drew up their target list, circumvented defenses, then through a combination of luck and skill – struck gold, and got clean away from the scene without a trace.
The excerpt demonstrates the lengths that cyber attackers go to and the ingenuity and organizational capability they have, to ensure they get their prize. Many of the vulnerabilities that Rescator exploited have now been remedied, and maybe 2013 was a high watermark for U.S. data breach incidents. Lessons have been learned and billions of dollars have been poured in to close the gaps. But with a largely invisible force of determined hackers ready to pounce on any vulnerability, there is no room for complacency as the steady stream of recent very high-profile cyberattacks testifies.
Examining the Losses
As fascinating as the Rescator side of the story is, the excerpt also looks at the other side – the impact that the attack had on Target and wider society, breaching the trust between the business and customer. From the outset, it was a tough task to address the anxiety caused to Target’s customers, and to be able to thoroughly address customer concerns at the scale of millions of individuals. Customers questions around whether their card information was stolen, whether they had lost money, or if their credit history been impaired, all needed answers. This took time as the forensics to understand the extent, duration, and transactions that might have been compromised took days to unravel.
Target then needed to go into overdrive to make amends to its customers. It worked with banks to have millions of compromised cards stopped and re-issued, offered free credit monitoring, and advice to counter secondary fraud – as the list of remedies went on and on. Target’s direct costs from the breach reached over US$200 million and took several years to accrue across a range of fines, claims, and mitigation costs.
The data breach also had additional consequences for Target Corporation. The Chief Executive resigned in May 2014, following the Chief Information Officer in March. Profits and share prices dropped as a result.
The damage to the company’s reputation caused a reduction in visits to their stores. Even after deploying win-back strategies, some estimates on the consequential costs of the impact on Target’s revenues suggest it could have ranged between US$1 billion and US$2 billion in the year that followed the breach .This is more than five times the direct costs and between 1.4 percent and 2.8 percent of Target’s annual revenue.
The consequences of the Target data breach have been profound. The many vulnerabilities that were exposed have been secured, so it is highly unlikely that a cyber hack using the same exploits and techniques as the Target data breach will be seen again. But it doesn’t mean that new techniques won’t be used to carry out a similar scale – or larger – cyberattack in the future.
In Solving Cyber Risk, the authors set out a framework for identifying, quantifying, and managing all the different types of cyber risk that companies, and society in general, will face in the future.
Order the book now on Amazon.