The staggering cost of password hacks

Ever wondered what a hacking incident costs a business? Has your IT team set aside a contingency budget for it? Recovering from a hack unfortunately isn’t a case of just installing a new firewall or updating anti-virus software; with 2014 stats pegging the cost of a business data breach at a staggering $3.5 million (£2.1 million).

Studies over a nine-year period by the US-based Ponemon Institute confirm that – at 44% – malicious attacks are the most common cause of business data breaches.

For the average business, the costs associated with these attacks are nothing short of titanic, and the risk of going under a very real prospect.

Tip of the iceberg

The price tags for a data breach fall into three categories: direct costs (for example, hiring forensic experts and setting up customer hotline support), indirect costs (such as internal investigations and a stream of communications), and opportunity costs (the loss of lifetime value from existing customers and acquiring fewer new customers).

Easy-to-count direct costs are just the start of it: indirect costs are typically double that of the direct costs, and opportunity costs come in at a substantial 38% of the final figure.

In line with the societal trend towards a compensation culture, legal costs are rising year on year as claimants engage in ‘no win, no fee’ arrangements with lawyers, often prolonging management of the fallout for years.

Malicious attacks cost more

If a data breach is defined as one in which an individual’s personal data is potentially put at risk, then the average cost per compromised customer record is $201 (£123), but this rises to $246 (£151) for malicious causes.

Ultimately, what hackers want is passwords, and the methods of choice behind malicious attacks are malware infections, phishing, social engineering, source code injection and having accomplices on the inside.

The statistics on the vulnerability of business passwords suggest that 90% are considered hackable and that over 50% of them are hackable within minutes. Coupled with the known number of new malware strains running into tens of millions per year, the outlook isn’t great.

Small businesses are more vulnerable

Small businesses are prime targets for hackers, who know that even basic security measures such as password protection are sometimes absent.

These businesses tend to spend less on IT security, seeing it as a disproportionately large cost, but this short term strategy could have unexpected long term consequences: a study by the Payment Card Industry (PCI) Security Standards Council (SSC) found that 60% of small businesses close within six months of experiencing a breach.

To be forewarned is to be forearmed

In Ponemon’s year-on-year studies, the steps companies take in the wake of a hack form a familiar pattern: revisions in endpoint security, more training and awareness, greater use of encryption, and better identity and access management.

No matter the size of the business, if it’s passwords that hackers want, the most cost-effective factor which can mitigate against a malicious attack is a formal security policy which requires users to set up robust passwords.

Strong passwords are words or phrases which are – first and foremost – long and, for added security, complex (containing a mix of cases, numbers, and special characters). Whilst this makes them more challenging for users to remember, password management tools with single pass phrase mechanisms are a worthwhile option.

For want of a nail

As the saying goes, for want of a nail the shoe was lost; for want of a shoe the horse was lost; for want of a horse the rider was lost; for want of a rider the message was lost; for want of a message the battle was lost; for want of a battle the kingdom was lost; all for the want of a horseshoe nail…

The message is that small things can have large consequences. Business owners need to know that strong passwords are their horseshoe nails, and that they are key to securing their kingdom.