Has the White House has got it wrong with its ‘Cost of Malicious Cyber Activity to the US Economy’ report? It estimates damages of up to $109 billion per year – which is a nice media-friendly figure, but anyone actually reading the report is likely to dismiss it because the way in which these damages are measured is strange to say the least.
The damage calculation is based primarily on the average drop in stock price taken seven days after breach disclosure. Seven days is so short-term I don’t know where to begin with it. Every firm has a minor blip in stock following a breach but this typically bounces back within 30 days, so stating that the average cost of a breach to an enterprise is $338m – a percentage point of market cap – is just irresponsible.
Furthermore in the last three years most firms (there are exceptions, and it depends on the motivation of the attacker) that experience a breach are back to tracking the market within six months.
I’m not saying that the sentiment behind the report is wrong – it’s not – business needs to do more to defend itself. In fact, if we take long term damage into account, the $109 billion damage figure may actually not be high enough. The issue here is that any business leader that takes a peek under the hood, will, in this instance, simply shrug, mutter something about ‘Cyber FUD’ and walk away.
What is really frustrating is that in the depths of this report the real risks to business and economic success are well articulated and understood, but as is so often the case with cyber, the reality is buried under a media-friendly headline.