Breaching the bank

In the digital age, business operate in an increasingly complex landscape where cybersecurity incidents are on the rise. But beyond the fines that make headlines, there are huge hidden costs.

A data breach can have massive long-lasting repercussions, and most companies don’t realise just how disruptive, time and resource intensive it can be until it happens. They can range form immediate financial penalties to long-term damage to reputation, customer trust, and market value. When preparing for the worst, businesses often tend to focus on the direct costs – fines, legal fees, security forensic consultant, recovery expenses and insurance. But there are equally damaging “hidden” costs which can impact long-term growth.

This goes for organisations across all sectors, from pharmaceuticals to process and engineering, regardless of the size of the business. For example, in 2017, a ransomware attack caused Merck & Co. to halt drug production and lose $1.4 bn. The attack also led to a loss of $260 million in global drug sales in 2017 and $200 million in 2018. However, there are other insidious costs to organisations after such an attack.

When an organisation is hit, the immediate focus is on compliance and regulatory fines, particularly if customer data is exposed. But these fines are just the beginning of the financial damage. Once a breach is discovered, digital forensics teams – often expensive external consultants – need to assess the damage, find out how the breach occurred, and recommend steps to contain it.

There are also crisis management costs, which include working with legal teams and cybersecurity experts and, depending on the scale and impact, the incident could escalate to lawsuits from shareholders and/or customers. Just take the 2023 incident at PharMerica Corporation, for example – a ransomware attack exposed the personal data of nearly six million people, and the company faced a class action lawsuit as a result. As the initial response is managed, the long-term damage enters the scene as brand reputation, customer and shareholder confidence can take a huge hit in the aftermath of a breach – the erosion of trust that can linger for years.

Then come the issues with insurance. In fact, after a significant breach many companies find it difficult, if not prohibitively expensive, to obtain cyber cover as insures may either raise premiums or deny cover altogether. In fact, there have been many instances of insurance companies refusing to honour claims if a company didn’t maintain an acceptable level of cybersecurity resilience. For small-to-medium businesses, the inability to secure affordable cyber insurance could be disastrous.

Overall, according to IBM and the Ponemon Institute, the average cost of a data breach reached a record high of $4.88 million this year, but there’s clearly more to it.

There is once crucial element that often goes overlooked – the indispensable impact on employee morale. A major cybersecurity incident can have a profound psychological and cultural effect on workforce, leading to decreased productivity, disengagement, and in some cases, a higher turnover rate.

Why might this be the case? Often, employees feel directly responsible for the breach, especially if it occurred due to a phishing email or a failure to follow security protocols. Workers might also begin to question the stability of the company and fear for their job security, especially in industries where layoffs are common after such high-profile breaches.

Employees will also often face increased scrutiny following a cyberattack. Organisations typically tighten their internal protocols, increasing monitoring of employee activities and adding layers of oversight. While these measures are necessary to prevent future breaches, they can create a culture of mistrust, where the workforce feels micromanaged and less empowered in their roles. And more often than not, in the wake of a cyberattack, IT teams are required to work overtime to restore systems, fix vulnerabilities, and manage recovery efforts. This added pressure, often without additional compensation or support, can quickly lead to burnout. Even employees outside of IT may feel the strain, as they deal with operational disruptions, customer complaints, and a general sense of uncertainty about the company’s future.

Additionally, overworked employees may start to disengage, leading to reduced productivity and lower quality of work. In severe cases, key personnel may leave the organisation. In a job market defined by skill shortages, this can have a profound effect on the business.

When it comes to shaping morale and culture, there is also a lot to be said about how leadership handles the aftermath of a cyberattack. If employees perceive that executives are not transparent or accountable for the breach, it can lead to a breakdown in trust. A lack of communication or a failure to acknowledge the severity of the situation may leave employees feeling undervalued the unmotivated. The cost of a cybersecurity breach extends far beyond the immediate financial penalties, legal feed, and recovery expenses. It can also severely hinder a company’s long-term growth and valuation, as diminished customer trust and reputational damage often lead to reduced investor confidence and market competitiveness. While these cannot be ignored, the long-term impact on staff sentiment, culture, and overall business health should not be underestimated either.

Businesses need to adopt a holistic approach to cybersecurity that considers both the visible and hidden costs. This means not only maintaining cyber hygiene and investing in technology with threat detection and incident response, but also fostering a resilient workforce that can navigate the emotional and cultural challenges that follow a cyberattack.

A company that prioritises both external and internal recovery efforts will be far better positioned to weather the storm of a cybersecurity breach and emerge stronger on the other side.