What happens if you suffer a cyber breach? (If it hasn’t happened already)


Do you know what happens after a cyber breach in your business?

First of all, there is quite a reasonable probability that your business has already been hacked and you just don’t know it yet. Cyber attacks are becoming more sophisticated and hackers are finding new ways to penetrate systems whilst going undetected. Cyber attacks are on the rise and are only expected to accelerate in the coming years.

The bottom line (which in some ways should be enough on its own to propel you into action) is that the average price for a small business to clean up after being hacked stands at approximately $690,000. This includes direct and indirect costs but does not include the headache it will cause you.

Well over half (62%) of cyber-attacks are now targeting small and medium businesses because they are easier to penetrate according to IBM. This amounts to 4,000 attacks per day. These attacks range from stealing personal identity information, holding companies for ransom or draining bank accounts, to stealing information for fraudulent transactions. Keep in mind that not all attacks are external either. Sometimes it could be a disgruntled employee or a human error from a staff member.

Here’s what happens following a cyber incident (and why it costs so much).

Business disruption

In the immediate hours to days of an attack, you stand to lose access to the affected IT assets (i.e. computers, servers, internet) because either you may need to take them down to contain a virus outbreak, or they may be so badly damaged they need to be rebuilt or reconfigured. Very likely you will also lose access to some (or all) of your critical data such as accounting information or customer files that enable business operation.  As a result, employee productivity goes out the window.

According to a research (2017 Cost of Data Breach Study: Australia) a business takes 67 days on average to contain a cyber breach. It’s not uncommon to see businesses crippled for days, particularly if the business is dependent on IT in order to function (That’s pretty much everyone these days!). This can be worse if a business is disrupted during its busy season, which could mean losing a large chunk of revenue.

Loss of data

Business data is the crown jewel of many modern businesses. In an incident such as a ransomware attack, data could be permanently and completely lost. In other types of attacks, data could be stolen or wiped from the computer or system. If your data was deleted but you perform regular data backups, you might be in luck and only suffer from momentary down time as you restore the backup. However, if you do not have a backup or the data was stolen, then there is no way to recover that without sustaining prolonged down time and brand damage. There is no insurance that you can take to cover the cost of losing the data (assuming that your cyber insurance policies are worth the paper they are printing on)

The business cost associated with recovering the data could range from days at a minimum, to simply going out of business (in the case of not being able to afford to recover or rebuild the data). The U.S. National Cyber Security Alliance found that 60% of small companies that suffered a cyber attack are out of business within six months.

Brand damage

Although it’s hard to pin a direct monetary value on this, it is probably most damaging of them all. Losing client trust over a cyber security incident can translate directly into loss of business. Because your clients entrust you with their most sensitive financial and personal information, most will not return if your company has been breached. You will also lose value on the brand that you took years to build as media rush to cover the story of the latest company or business that got hacked.

Direct financial loss

If the attacker gains access to any of your banking details they may be able to wire money to accounts they control. You could be hit with ransomware where you will be demanded to pay ransoms in the thousands of dollars.

Post-breach costs

If you don’t have pre-arranged plans in place it could be very costly to have security specialists respond to the incident onsite when a cyber breach takes place. The costs also include investigation and remediation costs to patch the security holes. These costs can be upwards of $3,000 per day.

Notifying customers

It has become mandatory by law that a business must notify its victims and the regulators about a security breach. The post breach cost includes the cost to create contact database, postal expenditures, handling inbound communications, legal expenditures, and special consultant costs. This could be anywhere from hundreds to thousands of dollars.


Mandatory notification laws and regulatory laws are increasing being tightened. There is now a real prospect of monetary penalty for business that fail to comply with data protection legislations.

The new Data Breach Notification Laws in Australia will take effect in February 2018, and this applies to all businesses that:

  • have a turnover of $3M or more
  • deal with client TFNs (this applies to virtually all accountants)
  • trade with client’s personal information (i.e. disclosing or receiving personal information to a third party for profit or as a service)

Failure to comply with the notification scheme can result in fines of $360,000 for individuals, and $1.8M for businesses. You will also face increased scrutiny and auditing from the regulators.

Lawsuit costs

Customers can now sue companies for becoming victims in identity frauds because of the breach in class action suits, as shown in recent security breaches.


Whichever way you look at this, the cost of a cyber breach is staggering, even for a small business. The only way to prevent and contain it is to ensure that you invest in and implement a comprehensive security program that meets industry standards. Security is an aspect in business that many people ignore until it fails. But when it comes to cyber security, a stitch in time really does save nine (or in this case $690,000).

You must be logged in to post or view comments.