Cyberattacks against companies don't hurt them much financially, Rand study finds

Sept. 27, 2016
Lack of major losses is discouraging many business from improving their cybersecurity posture

SAN DIEGO - The soaring number of cyberattacks against American companies is causing comparatively little financial damage, which is discouraging many businesses from beefing up security, Rand Corp. said in a study released this week.

Rand researchers estimated that a typical computer breach costs a company about $200,000. For many firms, that figure represents less than 0.4 percent of their annual revenue.

The researchers also said the losses from cyberattacks are generally smaller than the losses caused by fraud, theft, corruption and bad debt.

Their findings were published Tuesday in the Journal of Cybersecurity.

"Relative to all the other risks companies face, the cyber risks often aren't as big a deal as we think," the study's lead author, Sasha Romanosky, said in a statement. "It may be bad for you if you are the victim, but it doesn't change the behavior or strategy of a company.

"Like you and me," Romanosky said, "companies are self-interested and operate in ways that minimize costs."

The Rand findings are similar to those of a 2015 study by Columbia University, which said major data breaches at many Fortune 500 companies ended up costing the firms less than 1 percent of their annual revenues. The companies included Target Corp., which experienced a data breach in 2013 that revealed information from 40 million debit and credit card accounts.

Rand said its analysis comes partly in response to a request by the Obama administration to help create voluntary guidelines for improving information security, which can vary greatly from company to company.

Romanosky said the number of data breaches increased from 64 in 2012 to almost 250 in 2014. Hackers heavily targeted health, insurance and finance companies, as well as the government.

Murray Jennex, a cybersecurity expert at San Diego State University, offered a different perspective. It's very difficult to determine cost for "compromised data because there is only a real cost if someone uses the data to do something bad. Much data is stolen without ever really being used," Jennex said.

Mark Heckman, a cybersecurity expert at the University of San Diego, said a broader context is needed.

"A small firm that suffers a cyberattack that might register as a small cost in this report's data might still be out of business as a result of the attack. So the cost in dollars is not the whole story," he said.
___

(c)2016 The San Diego Union-Tribune
Visit The San Diego Union-Tribune at www.sandiegouniontribune.com
Distributed by Tribune Content Agency, LLC.