KnowBe4 Cybercrime Case Study Reveals True Cost of Network Breach

While cybercrime statistics hint at the alarming financial consequences of an Internet security breach, a recent case study from Internet Security Awareness Training (ISAT) firm KnowBe4 breaks down the actual costs incurred by one small business. Cyberheists of bank accounts or proprietary data can result in huge financial losses; but as this case demonstrates, a compromised webserver can have expensive repercussions even when there is no theft of funds or data.

Cybercrime can financially impact a business in several ways. In addition to measurable costs – such as those relating to repair/replacement of systems, loss of revenue and loss of productivity – there are also more intangible costs associated with loss of reputation. A 2010 Symantec survey found that 75% of small and medium businesses (SMBs) were victims of cyber attacks in the previous year, with an average annual cost of $188,242.* Some suffered direct financial costs that were substantially higher; however, even smaller losses in the four- or five-figure range have the potential to cripple a small business.

KnowBe4’s founder and CEO Stu Sjouwerman (pronounced “shower-man”) tells the story of a network breach at a small company, which will be referred to as Acme, Inc., to protect the firm’s privacy. Acme provides a subscription service to a specialized database, and its network consists of 20 workstations, a SQL server, an Exchange server and a dedicated website server, all linked together via a broadband connection. The company did not have a trained IT team; just one person serving part-time in an administrator role. When Acme’s webserver suddenly started experiencing much higher levels of traffic from countries where they did not conduct business, they suspected cybercriminals had broken into their network.

Upon investigating the situation, it was discovered that one of the workstations had become infected with Zeus malware after an employee clicked on a link in a phishing email. All of the servers and a number of workstations were compromised, giving cybercriminals full access to the network. Acme’s logs revealed that the webserver was being used to host an illegal music download service, and it was also discovered that the perpetrators had installed hidden rootkits.

The disinfection of Acme’s network required considerable time and expense. KnowBe4 spent 110 billable hours correcting the problems associated with the network breach, including:

  • 10 hours to select, order, configure and install a quality firewall
  • 20 hours to build a new webserver, upload digital backups and bring it nearline
  • 25 hours to scan all servers and workstations with several anti-malware tools to locate rootkits
  • 15 hours to wipe and rebuild Windows on all workstations to ensure removal of all rootkits
  • 10 hours to install anti-malware software on all servers and workstations
  • 10 hours to bring the new webserver online and debug the initial problems
  • 20 hours to repair things that broke during the rebuild, install drivers, bring printers back online, etc.

At the standard rate of $90 per hour, the total cost for these technical services was $9,900. On top of that, Acme incurred loss of both revenue and productivity during the repair and rebuild. The webserver was offline for an entire day, resulting in approximately $6,600 in lost revenue. Each of the company’s 20 employees lost at least one workday while the systems were undergoing scans and rebuilds, at an average cost of $120 per person per day – for a combined productivity loss of about $2,400. Between the outside consultant fees, lost revenue and lost productivity, this single network breach cost Acme a total of $18,900.

“Many small and medium enterprises think they’re adequately protected against security threats because they have anti-virus software. But the reality is that cybercriminals can bypass that software by tricking an employee into clicking a link in a phishing email,” explained Sjouwerman. “Most business owners have no idea of the time and cost involved in disinfecting a workstation, let alone an entire network. Acme paid nearly $20,000 to undo the damage caused by one employee’s unwitting click. Those costs would have been exponentially higher for a midsize company with a larger network. And just think how much a business stands to lose when cybercriminals use their network access to capture login information and passwords for bank accounts and other financial transactions. That’s when losses rapidly escalate into six figures.”

To help businesses understand the potential return on investment (ROI) of Internet Security Awareness Training, KnowBe4 posted an ROI calculation page on its website. “The Acme case demonstrates the potential financial repercussions of a phishing attack. Our research has shown that training can reduce employees’ susceptibility to phishing attacks by 75% after the very first session; and that subsequent testing and retraining can shrink the percentage to close to zero in a matter of weeks,” asserted Sjouwerman. “It pays to invest in cybercrime prevention training. A 200-seat KnowBe4 annual subscription costs less than $1,400 – far less than what a company would pay to correct a network breach.”

Sjouwerman encourages owners of small and medium enterprises to take advantage of KnowBe4’s free phishing security test to learn what percentage of their employees are Phish-prone™, or susceptible to phishing. This can help provide a clearer picture of a company’s risk level in matters of Internet security. He also recommends that executives familiarize themselves with cybercriminals’ strategies and tactics by reviewing the free cybercrime education resources published on the KnowBe4 website. A more in-depth analysis of the business of cybercrime and advice on how to combat it can be found in Sjouwerman’s new book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

For more information – including details on the Acme case, ROI calculation figures and free cybercrime education materials – visit KnowBe4 online at http://www.knowbe4.com. To learn more about Cyberheist, or to order the paperback or e-book edition, visit http://www.cyberheist.com.

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

  • Symantec 2010 SMB Information Protection Survey; June 2010.