The True Cost of Hacking

Hello everyone. I started this thread to put a dollar amount to the cost of a company being hacked. Many times script kiddies don't understand how their deeds affect people. Hopefully putting a dollar amount to their actions can open up their eyes a little.


I'm going to post some figures, please follow suit and post the figures as you see them as well.

Each one of the following will cost individuals, companies and governments big time $$, although the dollar amount will vary, acrossed the board the one thing in common is that it's expensive:

Downtime -- Company has ceased to continue bringing in income

Idle Employees -- Workers are sitting around idle, because they can't access their work systems

Laid off Employees (a) -- The company, have it's bottom line affected must lay some employees off to meet financial expectations

Laid off Employees (b) -- Someone's gotta take the ax for allowing the incident to occur in the first place, most likely this is going to be the security personnel or I.T. workers that didn't sufficiently secure the system that got breached.

Laid off Employees (c) -- The laid off employees might be forced to seek unemployment compensation, costing tax payers money (at this point).

Lost Production and Revenue -- The company that got hacked is losing money because they are idle while their competitors are fulfilling orders.


Please add more to this list as you see fit

Thanks,
--PuRe

Quote:

---

Originally posted here by PuReExcTacy
Laid off Employees (b) -- Someone's gotta take the ax for allowing the incident to occur in the first place, most likely this is going to be the security personnel or I.T. workers that didn't sufficiently secure the system that got breached.

---

This would be sometimes the management's poor understanding of network systems... Consider a D[R][D]oS, that can't readily be avoided no matter the security measures taken. And there's always 0-day exploits [but let's say you'd rarely have skids taking advantage of them]

My additions:

- Money going into a network 're-think' sprung from the FUD generated by a succesfull attack. I think that's one of the proeminent cases out there...
- Same FUD generates loss of income in research companies because they cannot know for sure [well, sometimes they can] whether their research products have been compromised or not.

Cost of time to investigate - internal and external (police etc)

Cost of Identity theft, depending on what info is accessed

Cost of companies stock vaule, if it has shares

Cost of losing your innocence in the prison shower if you get caught ;)

Quote:

---

I started this thread to put a dollar amount to the cost of a company being hacked. Many times script kiddies don't understand how their deeds affect people. Hopefully putting a dollar amount to their actions can open up their eyes a little.

---

Just to play Devil's Advocate... I'd imagine the response might be something like this...

"Microsoft and other big companies makes tonnes of money. Why on earth should I care about whether they lose any or not? It's not going to affect me. I just get their software off the Internet anyways."

That said, this almost makes me think of that sign you'll see in some stores "Shoplifting hurts us all". They don't care if someone loses their job (until it happens to them). They don't care if someone else is robbed (until it happens to them). They just care about "what's in it for me?". You can say cheaper prices but the cynic in many of us would say "prices go up anyways..".

I don't know if showing costs would convince some not to do this. Now, if it resulted in a loss of computer/internet privileges... well. That'd be different I'd image. Can you image the wail and outcry if they weren't allowed to play with a computer?

You can insure against loss of earnings due to hacking, it costs around $4,000 per $1M insured.

Article here:

http://www.accountancyage.com/News/1132544

I am inclined to take a somewhat broader view. What is the cost of security and preventing being hacked to business?

Quote:

---

Originally posted here by nihil
I am inclined to take a somewhat broader view. What is the cost of security and preventing being hacked to business?

---

depending on the company probably alot less thenthe potential loss. Lets say its an accouting business with 100 customers. They hold all financial records for their clients, 1 good hack and they dont lose money from the hack itself, but I guarantee they lose a bunch of customers, and probably get sued.

Quote:

---

depending on the company probably alot less thenthe potential loss. Lets say its an accouting business with 100 customers. They hold all financial records for their clients, 1 good hack and they dont lose money from the hack itself, but I guarantee they lose a bunch of customers, and probably get sued.

---

True but if you are going to show the company, don't show them the FUD. Show them what they will save by implementing good procedures to follow that ensures security (not just what the toys do but how to ensure a "culture of security" is part of the company).

Attackers will attack regardless of the costs that companies will face. Companies will find ways to avoid implementing things unless it affects the bottom line and ROI. They won't take into account "what ifs" and "might happens". But if it means immediate savings and results in higher profits they'll go for it. I remember there was a survey/story about this but I can't find it. Basically, if you implement procedures and standards for the sake of security and good IT practises (best practises ideas and dealing with SOX), you're costs go down and savings increases.

Quote:

---

I am inclined to take a somewhat broader view. What is the cost of security and preventing being hacked to business

---

Catch, harped on about this at some length, in a few of his posts. The need for an acurate risk assesment.............................................Not alot of point in spending £/$ Hundreds/Thousands. If what you are trying to protect has little value.

That list is only true when a SK dose a Dos attack but if say some one with maby real skill actual hacked in the numbers that a company throws out is way out of per potion. lets say some one hacked in to a newspaper companies system and used their connection to pay data bases to do some searches then he is caught that company would say he caused like $600,000 in damages but ware did that come from. was it paying their IT guys extra to do what they should have done.

The true cost of hacking, IMHO, covers everyone, not just businesses and not just homeowners. There's so many discovered hacks nowadays, coupled with spam email, aligned with spyware, etc..it's not even funny.

If I were going to ask the question of what it would cost, I'd first rephrase the question to "What's the cost of hacked systems, spyware, spam, and the like?".

Some people say it's the duty of the vendors and software companies and even the resellers (HP/Gateway/etc) to ensure that Windows is more secure because getting patches is hard, not user-friendly, a long download for those on 56k, etc..the list of excuses goes on and on. For a hacked system that a homeowner has that could've been prevented had it been patched, the cost is very little. When you consider how many get taken every day, that cost exponentially increases. One would think it'd be prudent for said homeowner to "learn" something, but hey, that might be asking too much nowadays.

Businesses are somewhat in the same boat. So many companies now have such a long time to get something done, it's not even funny. Our "change management" team has to approve anything that goes on in the computer section of the company and it takes a good two weeks for them to do anything. What does this do? This puts us two weeks behind the curve and it's supposed to be our fault if something gets broken in the meantime? Rather unfair for us, don't you think?

Hacking systems and the downtime created from spam email and spyware cost a company quite a bit in lost time, resources, etc. However, when given the option to negate a lot of those costs by fixing the problems, they don't. Because of the cost of improved systems, improved software through patches and newer releases, and various other ways (hardware firewalls, etc), they'd rather "invest" that money elsewhere (sales, etc). So who's fault is it then?

All in all, I guess it would be costly across the board simply because so many computrers all have the same OS (XP/2000/etc) in elements of lost time, lost machine access, lost ISP time (shut off accounts/etc), fried OSes which results in reinstalls, etc...