THE LONG TAIL OF CYBER HARMS
According to the Cybersecurity Strategy report of the European Union from December 2020, The annual cost of cybercrime to the global economy is estimated at €5.5 trillion by the end of 2020, double compared to 2015.
In cybersecurity, the accepted wisdom is that the vast majority of cyber incidents’ damage is concentrated over an intense but relatively short period. Loss of business during downtime; ransom payment; IT recovery and remediation costs; legal and regulatory fines; – all are substantial and quantifiable. The victim, professional service firms, shareholders, insurers, industry experts, competitors, regulators, and observers – all assess or calculate those harms that occurred before the business operations resume. Cybersecurity incidents are considered resolved as regular business operations resume.
We at CyberStar are increasingly witnessing incidents with damage exceeding preliminary expectations, both in terms of severity and duration. Much of the harms, costs, and labor are indeed concentrated in the Incident Response period, as expected. However, the later harms protract and sometimes even intensify over months and even years, accumulating damages to a hardly negligible extent. Reputational harms, in particular, contribute to forming the “long tail”, so for many companies, the complete cyber harms graph looks like this:
How reputational damage aggravates the long tail of cyber harms?
A major cyber incident, as well as the resulting downtime, unfulfilled orders and crippled customer service will certainly harm the company’s reputation. Immediate and future losses of potential customers and business are probable, in particular for maritime and logistics companies, where competition is severe and switching cost for the end customer is usually low. It is also percieved negatively by other stakeholders such as business partners, vendors, authorities and others.
However, reputational damage is among the trickiest to measure and manage.
We identify two main causes for the rise of long-tail reputational damage:
- The rising awareness of all stakeholders to cybersecurity importance and
- The rise of “double extortion” ransomware.
In the maritime and logistics sector, one would rarely see cybersecurity put at the very top of the risks list. However, as the sector undergoes a digital transformation, awareness that cyber damage is real has recently grown. After all, quite a few organizations across the value chain have experienced first-hand that cyber incidents cause business downtime and cascading effects. As regulation still lags behind, fear, uncertainty, and doubt (FUD) can thrive. This early cyber maturity in the maritime sector also means that sometimes, nuance about breach and response will be lost. Thus, information about a company suffering a breach has increased chance to steer customers away from the victim, whether or not the details justify it.
Ransomware evolved significantly in 2020. The major ransomware groups adopted the Double Extortion practice. First, they continue to extort money for decryption keys, “as usual”. After breaching the victim’s systems and before encrypting data, the attackers exfiltrate sensitive information in bulk. Then they add the new extortion: pay a second ransom to avoid the disclosure of stolen corporate secrets, PII, and the ensuing direct and secondary harms. Suppose the victim does not pay the ransom. In that case, the ransomware operators leak the data, exposing the victim to further harms. Importantly, nothing prevents the attackers from taking their time. The victim may have paid the first ransom, covered the breach, and restored full operations. Then, after weeks or months, the second extortion may arrive. Suppose that threat actors leak the victim’s data or auction it on the Dark Web. The incident analysis will reveal that the victim has been breached more than once. Moreover, it will expose that the victim has been unable to detect, concealed, or played down prior breaches.
These are but two key causes that aggravate reputational damage in terms of severity and duration and builds the long tail.
Some cyber harms are easier to grasp; others are hardly tangible. A modern business leader must comprehend the entire range of impacts to strategize the most appropriate cybersecurity posture. A cyber incident response plan must include reputational risk management backed by a solid communication plan and an experienced team that would help to oversee the organizational response to media, customers and other business partners. We at CyberStar are bringing actual field experience in managing the reputational risk in highly dynamic situations of cyber breaches of maritime and logistics outfits. Call us today and we will work with you on a plan for your business.