Cyber Security

Cybersecurity Part 3: Business impact of cyberattacks

How common are security breaches? What is the cost? To understand the importance of Cybersecurity, you first have to understand the business impact of cyberattacks.

January 25, 2021

This is the third article in our 4 part Cybersecurity series:

  1. Cybersecurity & Cyberattack Terms
  2. Changes since Work from anywhere became prevalent
  3. The business impact of cyberattacks
  4. Cybersecurity best practices

Many times we read headlines about an accident or event and think to ourselves ‘could that happen to me’. Typically the answer is yes; it ‘could’ happen.

Understanding the impact of such an event determines how or if we take measures to address the threat.

In this installment, we will look at the business impact of cyberattacks (monetary and time). By the end of this article, you will have a clear understanding of the threat cyberattacks pose to all businesses.

Business is closed
Many breaches won’t be discovered for months, most breaches won’t be caught by you, some breaches won’t have an impact on your business.... but all it takes is one fraudulent breach and the cost to you and your customers could be catastrophic.

Breach Statistics


  • 55% of attacks occurred at companies with less than 100 employees ( Q2 2020 statistics)
  • 37.9% of surveyed employees were likely to click a link or obey a fraudulent request (2020 phishing security test results: knowbe4)
  • 70% - 91% of successful breaches used social engineering (2019)
  • 20% - 40% of successful breaches utilized unpatched systems (2019)
  • >25% of breaches went undetected for more than 3 months (Verizon's Data breach Investigation Report)

There are many software, appliances, and utilities for reducing the business impact of cyberattacks. Any IT service provider worth their salt should already have a dependable and capable security stack which they continually monitor for updates and incidents.

As you can see from the statistics above; a properly deployed security stack may have thwarted 20% - 40% of successful breaches in 2019.

The largest opportunity for hardening your cybersecurity readiness lies in your users. If you're asking yourself ‘how is that accomplished’.....  We will cover this in our next article.

Monetary & time cost:

Data breaches and hacking are now considered the #1 threat facing company executives. ( cyber risk outlook 2020)
  • $178,254 - Average Ransom demand for a breach (figure from
  • $64,000 - Average downtime costs
  • $242,254 - Total average cost for a data breach
  • 16 days - Average time once ransom is paid to get data decrypted, systems rebuilt, security configured, and systems deployed.

These are the upfront known costs of a breach. They do not take into account the impact a breach would have on your customers.

Cybercrime predictions:

Cybercrime magazine: Cybersecurity facts, figures, predictions and statistics
  • $6 Trillion annually - Cybercrime damage costs by 2021
  • $1 Trillion cumulative - Cybersecurity spending from 2017 - 2021
  • 11 Seconds - How often a business will be hit with a ransomware attack by 2021

These statistics have doubled since 2015 and will continue to rise.

To pay or not to pay

We will include more details on this in our 4th Cybersecurity installment 'Protecting yourself and your company from cyberattacks'

You've been compromised, the attackers have encrypted the data your business depends on and they are asking for a ransom.

Your IT department has been diligent in maintaining backups of your data and even have 'air gapped' backups. Beyond that they are super stars as they routinely verify the backups to ensure they can be successfully restored.

Problem solved.... just restore a known good backup and take a few long days to recreate the missing week of data not included in the clean backup (completely overlooking that the cybercriminals have likely been in your network more than 6 months).

A few years ago this approach may have worked. Around 40% of victims payed the ransom back then. Today that number is close to 95%.

Previously cybercriminals only leveraged your data to demand payment. They have now realized, with full access to your network and data, they have a treasure trove of information they can use to persuade a victim to pay the ransom. With access to employee emails, client and vendor contacts, project data, accounting data, messaging data.... they are threatening to:

  • Target your employees
  • Impersonate your company to infiltrate your vendors and customers
  • Post or sell your data to competitors or other hackers
  • Release information about your company breach to the public
OK.... I'll pay the ransom

Not so fast. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) may impose a fine if a ransom is paid...... WHAT! - More on this in our 4th Cybersecurity installment.

Starting your cybercrime business (don’t do it)

I’m including this as an eye-opener to how easy becoming a cybercriminal could be. ABSOLUTELY DONT do this. This is a major driver in the increase of phishing emails in 2020.

Ransomware has been around since the first virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp who is now known as the father of ransomware. Ransomware started gaining in popularity in 2016 when the Hollywood Presbyterian Medical Center shelled out $17,000 in bitcoin after an attack took the hospital offline.

Way back in 2016 :) you needed to have a high level of knowledge about networking, computers, and coding. Now all you need is a little money (sometimes not even that).

You may be familiar with SaaS (software as a service). Cybercriminals are now offering RaaS (ransomware as a service). You purchase access to a RaaS workstation that is loaded with compromised user accounts and start phishing.

In some cases, there‘s no subscription fee or buy-in; many RaaS developers use “affiliate” models where the developer collects all of the ransom money extorted by affiliates, takes out some percentage as commission, and passes on the remainder.

For those thinking of a career change...

Guidelines for Cybercrime in the USA are extremely broad and carry stiff penalties. The maximum penalty for computer abuse crimes under the federal anti-hacking law — known as the Computer Fraud and Abuse Act, or CFAA — is 10 years for first offenders and 20 years for repeat offenders.

Security Breach News

These are a few security breach incidents that show the business impact of cyberattacks. This report covers the 3rd quarter (July - September 2020).

Most of these breaches are just that.. a breach of security. The fallout from exposing customer data is not included in these numbers.

Data from Cybercrime magazine: Who’s hacked? Latest data breaches and cyberattacks

September 2020 - 27 incidents:

  • Sep. 28. Wall Street Journal reports a data thief has posted online documents stolen from the Clark County School District in Las Vegas. Documents include Social Security numbers, student grades, and other private information. It’s believed the data was posted to a hacker forum where it could be easily viewed because the district, which has about 320,000 students, refused to pay a ransom to destroy the data.
  • Sep. 23. Comparitech researchers reveal an unsecured online database belonging to Town Sports, which operates a chain of gyms, fitness clubs, and spas mainly in the Northeast United States, exposed to the internet the records of 600,000 members and employees. Comparitech says the database was exposed for at least 11 months before it was secured.
  • Sep. 15. The parent of Dunkin’ Donuts agrees to pay $650,000 in fines and costs to settle a lawsuit stemming from a data breach from 2015 to 2018. Under the settlement, Dunkin’ Brands Group agreed to notify customers affected by the attacks, reset their passwords, and provide refunds for unauthorized use of the chain’s value cards. Dunkin’ neither admitted nor denied wrongdoing as part of the agreement.

August 2020 - 14 incidents:

  • Aug. 20. U.S. Justice Department charges Joseph Sullivan, 52, former chief security officer at Uber, for allegedly paying hackers $100,000 to hide a 2016 data breach at the company that affected 57 million users and drivers. The DOJ complaint also alleges Sullivan deceived the new management of the company about the incident after it hired a new CEO in 2017.
  • Aug. 19. South African branch of consumer credit reporting agency Experian discloses data breach. It says it gave personal details of South African customers to a fraudster posing as a client. Although the company did not say how many customers were affected by the breach, South African Banking Risk Centre, an anti-fraud and banking non-profit, claims the breach affected 24 million South Africans and 793,749 local businesses.
  • Aug. 3. Sky News reports Garmin, a maker of navigation and fitness devices, paid a multi-million dollar ransom to a ransomware gang that disrupted the company’s computer systems. It says the ransom was paid to the hackers through a third party, Areta IR, which specializes in ransomware negotiations.

July 2020 - 15 incidents:

  • Jul. 28. Drizly, an online alcohol delivery startup, informs its customers their personal information is at risk after a hacker obtained their data during a data breach. It’s estimated that as many as 2.5 million accounts are affected by the incident.
  • Jul. 1. Researchers at Comparitech report that since 2005, K-12 school districts and colleges and universities in the United States have experienced more than 1,300 data breaches, affecting more than 24.5 million records. It adds that California schools and universities have had the most records affected during the research period and that public institutions are affected by breaches at a higher rate than private schools.
  • Jul. 1. Canadian privacy commissioners in Ontario and British Columbia release report finding that LifeLabs failed to protect the personal health information of the 15 million patients impacted by its 2019 systems breach, due to its failure to implement reasonable security safeguards and policies. The incident was the second-largest healthcare data breach of 2019.

How are you doing?

I am hoping this article has opened your eyes to the importance of cybersecurity by providing the business impact of cyberattacks.

If you haven’t gone through a cybersecurity readiness assessment I would highly recommend doing so.

If you're not sure where to turn for the assessment; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.

What is next?

In our final Cybersecurity article: Cybersecurity best practices; we will cover best practices for keeping your data and users safe.

Make sure to check back here in a few weeks for those great tips.  

Matthew worked with Agave IT Services as a Brand & Content Consultant through 2020. He managed our company transition from Agave Solutions Inc. to Agave IT Services (dba). From our Logo to our online presence and business operations platform; Matthew created a solid foundation able to support our growth into the future.

You can find
LinkedIn icon

Agave IT Services

We are an IT Services and technology company serving the southwestern United States since 2003. We specialize in supporting, managing, and deploying technologies for the AEC industries' unique requirements. We differ from the typical IT service provider in that we handle ALL your technology needs, freeing you to focus on your core business.

You have a vision
we want to help you get there

Our approach to IT Service is unique. Let's see how we can best serve you!
Yes Please!