When creating a budget, an experienced manager will always take into account non-productive factors, such as wastage, degradation, unforeseen circumstances, and so on. Add to that the necessary costs of hedging those expenses, such as insurance, and suddenly a product or service costs so much more than the sum of its parts—costs that are then passed on to the consumer.

Unfortunately for the end-buyer, the costs of cybercrime get factored in, too. That means that when a data breach costs the company money, the company can either claim the loss from insurance or include the cost in the price. The client pays—not only for the carelessness of an employee who clicked on a phishing link—but by having his or her data now compromised.

IBM’s latest data-breach report estimates the average price of a data breach at $4.4m and a huge percentage of companies surveyed suffered more than one in the past year. According to ZDNet, when it comes to ransomware, 83% of those held hostage preferred to pay the ransom, even though, in the long run, this did not improve their cybersec expenses by much in the long run. More shockingly, the IBM report emphatically states that 80% of national infrastructures have not yet adopted zero-trust strategies in their cyber-infrastructures!

So why, you would think, after being attacked do companies not take more care; and why, despite FBI warnings and the sharply declining rate of ransom payments (yep, the number of victims paying ransom has decreased by at least 30% QoQ) do too many companies agree—as part of their policy, no less—to pay up?

Sinking into routine

As long as security breaches were considered an above-the-line cost (what it costs to deliver a product), the odd mishap could be contained by shifting some cash or taking up insurance. Unfortunately, cybersec issues have by now entered those expenses considered inherent in running a company. The price of a breach is now located below the line, often under a dedicated item.

Ransom victims save only marginally by paying ransoms; most of them are marked as easy victims and targeted for repeat attacks; the outlay for sweeping up the mess is significant; migrating to the cloud only exacerbates the problem; and phishing attacks are usually the most carefully planned and—consequently—the most damaging financially. They are certainly the most prevalent channel of entry for an enemy agent, after compromised credentials.

The price of phish

Blackfog CEO, Darren Williams has told Computer Weekly that cyber insurance is no longer easy to obtain—a situation that only occurs when the insurance companies realize that the payouts exceed the premiums. And, because data breaches have become so widespread, no company would dream of sponging up the spill on its own—no! it’s entered into the pricing. At some point, it becomes an inflationary strain on the economy—a “cyber tax”, as Robert Lemos in Dark Reading so aptly describes it.

The price of the product/service goes up and, not only does the consumer pay for the company’s carelessness; he/she is now paying for the honor of having his/her data in the hands of a cybercriminal.

IBM’s report strongly advocates for adopting zero-trust protocols, deploying artificial intelligence-based security tech to “perfect their perimeter” rather than investing in mopping up the spill, and investing in hybrid cloud solutions when migrating, rather than relying solely on either public or cloud services.

And yet, clearly, the human factor remains paramount. Training staff and clients to be vigilant can help prevent careless link-clicking, and examining a web address (URL) before entrusting your data to it can prevent heartache. In other words, don’t trust your data to someone who is willing to compromise it—neither an online grocery store nor a social network.
Quite simply, before paying for an expensive phish, smell it.

Share: