If you prefer reading to listening, you can get the full transcript of the episode here.
(Naked link at the bottom)
This is a question that not many business owners have an answer for, but it's something that you need to start thinking about.
In this episode of the Techcess podcast, Mark Riddell from m3 Networks discusses how you can put a monetary value on your company's cyber risk.
Do you remember the recent high profile attack on Marriot Hotels, in which 5.2 million guests were impacted, exposing their personal information?
Or the case against Equifax?
Their attack left them having to agree to pay at least $575 million in damages.
As Mark explains, you need to take these threats seriously, and become aware of the monetary cost to your company if you suffer a cyber attack.
He explains that it's not an easy task, but with the help of a special calculator, it can be done.
And you can get that special calculator from Mark and the team at m3 for FREE thanks to this episode of Techcess.
You can find it here.
Go ahead and download it, but before you start using it, make sure you listen to the episode as Mark will talk you through how you can use it and ensure you're armed with the knowledge to face a cyber attack.
You'll hear Mark mention the episode about Cyber Essentials.
When you're ready to listen to that one, you can do so here.
Get more valuable technology insights from m3's blog pages, here.
Mark Riddell's technology podcast "Techcess" is an m3 Networks production. Mark and the team have created this podcast to help you and their clients understand how technology can help them in their industry and business, including helping them with cyber security solutions. To find out more about Mark Riddell and the rest of the m3 team, visit them here and follow them on Linkedin.
If you want to get in touch about technology or cyber security, just address an email directly at Mark here. He'll be very happy to hear from you.
Thanks for listening! If you enjoy this episode, make sure you follow the podcast via your favourite app.
Putting a monetary value on your 'cyber risk' of a Cyber-attack
Mark Riddell: [00:00:00] Hi, I'm Mark Riddell. And in today's episode of Techcess, I'm going to be talking about why and how you need to put a monetary value on your cyber risk cyber-attacks and your business costs money. That's a fact. So if you don't know what potential financial costs a cyber-attack is going to have to your business, how can you plan to mitigate against that particular risk?.
Of course you can have cyber insurance for your business, and that is going to help recover some of the financial losses that you have as a result of a cyber-attack. But just remember that insurance claim pay-outs don't just happen overnight. And during the claims process, you're going to be exposed to the financial losses of the cyber-attack until the insurance company compensates you for that.
So that's worth considering.
The better way to reduce the risk of a cyber attack is to try and... well, just that reduce the [00:01:00] risk. Prevent the likelihood of a cyber-attack affecting your business. Now it doesn't mean preventing cyber-attacks from happening. Of course, no one can guarantee that. But what it does mean is that if a cyber-attack does happen in your business, that you're reducing the impact that that cyber-attack will have within your business.
And then you also want to make sure that your recovery time from common well-known cyber-attacks is as best that it can be so that you don't have the down-time that goes along with a cyber-attack. According to the world, economic forum's, global risk report, data fraud, data theft, and cyber-attacks are among the top five biggest risk that the world faces. A complex cyber-attack will destroy the brand of even the strongest organisations as well as cause other financial impacts like fines loss of customers, loss of future business, and a loss of trust.
For example, in a recent data breach of Marriot Hotels, you might remember this [00:02:00] one. 5.2 million guests were impacted exposing PII, personally, identifiable information, including names, genders, phone numbers, travel information, and loyalty program data.
And in another case as part of a global settlement Equifax had to agree to pay at least $575 million and potentially up to $700 million with the federal trade commission in the US, the consumer financial bureau and 50 US states and territories.
So that's a massive cyber-attack, right. And you're probably thinking, well, you know, that's huge organisation, massive amounts of money and data involved, and that's not my business.
And you're right. And that is one of the biggest issues when it comes to cybersecurity is that the stuff that makes the news isn't quite often relevant to the average small, medium sized business. So let's then spend a few minutes and make it relevant to your business.
And I'm going to tell you how to calculate a basic [00:03:00] financial impact of a cyber-attack on your business. So I actually have a freebie to give away along with this episode, and that is my cyber-attack downtime, cost calculator.
I could probably think of a better snazzier name for it, but let's just go with that just now because that's what my Excel file was called. So I'm going to give a link to download this file as a template.
Here is the download link.
So I'm going to talk you through this calculator, what it does, how it works and why it works.
So basically we're looking at a couple of things here that you have to put this data in and it's relevant to your business.
The first thing we look at is your annual turnover and we take your annual turnover and we divide that by the number of days in the year. And that gives us the daily revenue figure. So the example that I have here is a business, that's turning over 2 million pounds and that equates to a daily revenue of five thousand four hundred and seventy nine pounds.[00:04:00]
And this business has their employees. And what we do here is we put in an average, hourly rate cost to your business for your employees. Now I'm working in very, very conservative numbers here. Okay. And I'm working on an hourly rate of 10 pounds. So we've got 30 employees is costing your business, 10 pounds an hour.
Hourly rate that's 300 pounds an hour, 2,400 pounds per day, in staff costs. Okay. So a couple of simple, basic numbers there. So, how do we calculate the cost per day of your own time? So we're going to take the revenue cost of 5,479. We're going to add on the staff costs of 2,400 pounds. And that gives us a total of £7,879.
Now what we haven't added in there is any operational costs. So. What does it cost your business or in the heating, lighting rent, other rates insurance vehicles window cleaning, [00:05:00] office cleaning coffee, paperclips, you know, all the other stuff that goes in to running your business. That is a cost. If you are to work at a day rate of all those things, you need to include that number here.
But since that's very difficult to calculate, and that's not something that you can do very, very easily. I'm leaving that out of here. So all we're working on is average revenue that you turn over per day and your staff costs per day because staff costs are usually the biggest cost in most businesses.
And like I say, we've got a daily cost of 7,879 pounds. Now we take a typical average time to recover from a fairly common cyber-attack has been around three days. In most businesses. So for those three days, this 2 million pound turnover business with thirty employees, that's going to cost them at least 23,638 pounds.
Because if lost the revenue for three days and they've still had to pay their staff for those three days. So that's a very conservative figure, probably a very low ball figure [00:06:00] because I can imagine you're not paying your staff 10 pounds an hour, certainly not all your staff will be a kind of lower earnings rate.
You can break this down to give you a bit more realistic figure, which is to break down your employees in groups to say well, we have five sales staff that earn this per hour. We've got admin staff we've got drivers, manufacturing people, our receptionist, and then director level of what the earn per day.
So you can kind of take this to the next level to kind of work out what your staff cost is per day. But again, for this example, stick with the 10 pounds an hour and thirty employees. So you can see just for a 3 day cyber-attack that takes your business offline, that's almost 24,000 pounds, and that's not included in the cost to recover from the incident.
So if you add on having to pay your I.T. provider or pay someone to do some recovery, to get your business back up and running, add that cost on. So you can see how [00:07:00] it's very easy to put a financial figure on a potential risk, right? And we're not seeing specifically what the cyber-attack is here. We're not seeing what the long-term effects of the cyber-attack will be.
We're just looking at a simplistic way of allowing every business to at least start somewhere and put a monetary figure on what potential risk are you carrying? Of course, the implications of any personal data being lost under the data protection act and UK GDPR, which is included in that. And any fines that you may be landed with, then you, of course, that's not covered here.
And thankfully, , that wouldn't be an, immediate impact. Like these costs would be. If you do have an investigation from the information commissioner's office and you do get hit with a fine, of course, it's probably going to take quite a long time for that to come to fruition. So.
from a cashflow point of view, at least you're not, shelling out all that money in one go. What we're also not covering here, which has whether anyone's picked up on this or not. We're also not [00:08:00] covering any potential ransomware fines that a criminal organisation might ask of you.
So and obviously ransomware being one of the most common cyber-attacks. If you're being asked to pay a ransomware fine here, so if this business has been asked to pay another 50,000 pounds. as a ransomware fine to get their data back, then you add that onto this cost. So you can see quickly how the costs for a simple cyber-attack can escalate massively.
This is an exercise I think every business should go through, put the numbers into spreadsheet. It's going to give you a very basic simplistic costs, big what I hope will open your eyes to the potential costs that you're carrying by not doing anything to reduce your risk of a cyber-attack.
I guess the next question is as well, once you go through this exercise, what do you do with that information? Well, what you should actually do is then, immediately go and speak to a cybersecurity company and [00:09:00] work with them to carry a cybersecurity risk assessment to establish the risks that you have within your own organization.
And then they will be able to create you a cyber security strategy to mitigate against the most common risks facing your business. At a very bare minimum, I would recommend that if your business, isn't cyber essentials certified and I do have podcasts on cyber essentials and what that is, so I'll not cover that in today's episode, we can link to that in the show notes, but a very minimum get cyber essential certified, which will reduce your risks of a lot of the common cyber-attacks and threats out there, but you should really be speaking with a cybersecurity specialist. We do this here at m3. So if you want to reach out and talk to us, then please feel free to do that, but speak to someone at least and look at that financial figure and realise that that is a real figure that you could potentially stand to lose.
If you don't [00:10:00] take action to reduce your risk of cyber-attack.
And this is not scaremongering. I hear a lot of this in the industry and people say, oh, it's just scare tactics. And you're just trying to put the frighteners up people so that they actually spend some money. Hey, this is your business. Whether you take action or not is not going to impact me, but it will impact your business when you wake up and your business is dead in the water and you're facing a huge amount of money just to keep your business survive.
And, I've spent a lot of time here at m3 building and growing the business here, along with my other directors and colleagues. And certainly we would not want to put all that hard work and years and years of blood sweat and tears to waste just because of a basic cyber-attack that I could have mitigated against for a low cost and working with a professional who knows what they're doing.
It's up to you, you decide what risks that you want to take in your business and what you could potentially stand to lose. And as I say, pay your money, take your chances. So I hope that was useful. Please use the cost calculator to look at that and get [00:11:00] a figure that is meaningful to you and your business, and hope you enjoyed this episode.
Please remember to subscribe to the podcast. So you get notified of future episodes, and I hope you have a great day in business.
Techcess is a podcast from m3 Networks
Transcript provided by Podknows Podcasting