What’s the average cost of a cyber-attack?

An analysis of cyber-attack trends, and how they're impacting businesses globally.

Image showing professional man thinking about cyber security and the costs of an attack
Gareth Author profile photo
Gareth Shelwell May 15, 2023 (Last Updated: August 31, 2023)

With the never-ending media coverage about the latest cyber security breach, you may find yourself wondering “how much does this whole fiasco cost companies who fall victim?” In this blog post, we’ll explore real-world cyber-attacks and discuss the financial, and non-financial impacts in the wake of a cyber-attack.

Jump To The Cost Of A Cyber-Attack in 2022

What You'll Learn In This Article.

  • What are cyber-attacks and why do organisations fall victim to them.
  • The cost and frequency of cyber-attacks in 2022 and 2023.
  • What is at stake in the event of a cyber-attack.
  • The finanical, non-financial and societal costs of a cyber-attack.
  • Most importantly, what are 3 steps you can take to reduce the cost of a cyber-attack.

What is a cyber-attack?

Let's take a step back and first understand what a cyber-attack is, to do this, let's start with an analogy. Imagine a burglar trying to break into your home. They may try to pick the lock, break a window, pretend to be someone they're not, or simply walk in through an unlocked door.

Similarly, cyber-attackers use various tactics to gain access to computer systems. For example, they might use an SQL injection instead of picking a lock or try to brute-force your password instead of breaking a window. Phishing attacks can be compared to impersonating a delivery driver, while leaving your devices unsecured is like leaving an unlocked door.

Physical security and digital security side by side

Once a burglar breaks into your home, they can do all sorts of damage, such as, steal valuable items or vandalise your property. Similarly, once a cyber-attacker gains access to a computer system, they may steal sensitive data, corrupt files, install malware, or cause other damage.

Your next question may be “Companies secure their buildings from burglars why don’t they apply the same logic and secure their digital assets from cyber-attackers?”

The need to keep our belongings safe is deeply ingrained in human nature. For thousands of years, we have used locks and keys to secure our homes, valuables, and possessions.

The first lock and key devices were discovered in Nineveh, the ancient capital of Assyria (modern-day Northern Iraq and South Eastern Turkey), more than 6,000 years ago! Since then, locks have evolved, with wooden pin locks developed by the Egyptians being one of the earliest iterations of the modern lock. These locks used a key to lift the pins from the bolt holes, allowing the bolt to move and providing security against unwanted access.

In today's digital age, the need to protect our assets has shifted from physical locks to cybersecurity measures. Companies must apply the same logic of protecting physical assets to their digital assets and implement appropriate cybersecurity measures to safeguard their systems and data from cyber-attacks.

Ancient locks evolved gradually over the centuries, cybersecurity measures on the other hand, must evolve rapidly to keep up with changing threats and technologies.

Computer user faced with multiple authentication options

Many organisations struggle to keep up with the constantly evolving landscape of cybersecurity and the new challenges it presents. As a result, we often hear about organisations in the media that have fallen victim to data breaches or hacks. Here’s more detail why:

  1. Valuable data: Organisations often have access to large sets of valuable data, such as customer information, financial records, and intellectual property.
  2. Lack of cyber security measures: Despite having significant resources, some large corporations may not have adequate cybersecurity measures in place to protect against cyber-attacks. This can make them vulnerable to attacks from hackers who are able to exploit weaknesses in their systems.
  3. Human error: Even with strong cybersecurity measures in place, a company is only as secure as its employees. Human error, such as clicking on a phishing email or sharing passwords, can create vulnerabilities that hackers can exploit.
  4. Third party risks: Large corporations may have relationships with third-party vendors or suppliers, who may themselves be vulnerable to cyber-attacks. Hackers may target these third-party vendors to gain access to the larger corporation's systems.
  5. Cybersecurity as an afterthought: In some cases, large corporations may view cybersecurity as an afterthought, rather than a priority. This can result in insufficient investments in cybersecurity, lack of awareness among employees, and poor incident response plans, all of which can make them more susceptible to cyber-attacks.

Cyber-attacks are becoming more frequent and more costly

In the Fortinet 2023 Cybersecurity Skills Gap Global Research Report, responses were obtained from online interviews and email surveys of 1,855 IT and cybersecurity decision-makers in 29 countries, from a range of businesses with 100-5000 employees. The findings indicated breaches had risen between 2021 and 2022.

84% of respondents indicate their organisation experienced one or more breaches in the past 12 months, up from 80% the year before.

  • 55% had one to four breaches
  • 29% had five or more breaches
  • 7% had nine or more, more than double the previous year (3%)

There was a notable increase in the cost of breaches exceeding $1 million.

Nearly half (48%) of organisations that suffered at least one breach in the past 12 months indicate that it cost more than $1 million to remediate, up from 38% in 2021.

  • 64% of North American organisations report a total cost of breaches above $1 million, the most of any region.
  • 31% of Latin American organisations report a total cost of breaches above $1 million, the fewest of any region.

Of the surveyed companies in the Fortinet report, phishing was the most common attack method.

Fortinet 2023 Cybersecurity Skills Gap Global Research Report Snippet

Reference: Fortinet 2023 Cybersecurity Skills Gap Global Research Report

According to IBM’s 2022 Data breach annual report, the global average cost of a data breach in 2022 is $4.35M! Key notes from that report are:

  1. Data breaches in the United States are twice as costly as the global average. Breaches in the United States cost on average $9.44M!
  2. The Healthcare industry gets hit the hardest. On average, a data breach costs $10.10M.
    CanIPhish has dedicated training modules for the healthcare industry! Check out the library of training material.
  3. Phishing attacks resulting in a data breach, end up having the highest average cost at $4.91M
  4. The most frequent cause of a data breach was found to be stolen or compromised credentials, which also took the longest time (327 days) to detect. This type of attack resulted in a cost of USD 150,000 more than the average expense incurred by a data breach.
  5. Days matter. On average it took 277 days to identify and contain a breach. Companies that contained a breach within 200 days or less saved $1.12M on average per breach.

What’s at stake?

Cyberattacks can wreak havoc on organisations of all types and sizes. Depending on the nature of the business, the effects of a successful cyberattack can range from a minor inconvenience such as your favourite digital news site being temporarily offline to more serious consequences like putting lives at risk if critical infrastructure, such as power grids or transportation systems, are attacked.

It’s important to note that small businesses are far from immune, whilst they might not possess the volume of valuable information of their large counterparts, they often lack the resources to recover from an attack.

Here are the key areas that are at stake in the event of a cyber-attack:

  1. Personal Data: Personal data such as names, addresses, financial information are valuable to hackers who can use this information for identity theft, fraud, and other criminal activities.
  2. Business Continuity: A successful attack can cripple a business by disrupting operations, leading to financial loss, reputational damage and loss of customer trust.
  3. National security: Cyber-attacks can target critical infrastructure, such as power grids, transportation systems, and communication networks, which can have far-reaching consequences on national security and public safety.
  4. Intellectual property: Cyber-attacks can target critical infrastructure, such as power grids, transportation systems, and communication networks, which can have far-reaching consequences on national security and public safety.
  5. Human safety: With the rise of devices connected to the internet, new opportunities for cyber criminals have emerged that can threaten human safety. For example, a hacker could gain control of a medical device or a self-driving vehicle with malicious intent to cause serious harm.

Cyber-attacks have far-reaching consequences that go beyond financial costs and can impact societies, individuals, and organisations in various ways. Let's explore some real-world examples of cyber-attacks and their costs, including financial, non-financial, and societal impacts.

The financial costs of a cyber-attack

To understand just how bad it can get, let’s look at the well-known hack in 2017 to US-based credit bureau, Equifax. This remains as one of most expensive in history where private records of 147.9 million Americans, 15.2 million British citizens, and around 19,000 Canadians were compromised. Hackers took advantage of the company’s failure to update the Apache Struts system and gained access via a known vulnerability that was patched months earlier.

In the aftermath, Equifax was criticised for its network design, encryption, and data breach mechanisms. Had they kept their software up to date, perhaps they could have avoided the titanic financial impact of this breach. All told, this cyber-attack cost Equifax a mind boggling US 2 billion dollars! This figure consisted of settlement costs and free credit monitoring to affected users.

The non-financial costs of a cyber-attack

Whilst a cyber-attack can cost an absorbent sum of money to remediate, an attack can have more than just financial consequences.

The Facebook-Cambridge Analytica scandal was a data privacy controversy involving the social media giant Facebook and the British political consulting firm Cambridge Analytica. It was not a cyber-attack in the traditional sense of the term but rather a data breach that occurred due to the misuse of Facebook user data by Cambridge Analytica.

In 2014, Cambridge Analytica obtained access to the personal data of millions of Facebook users without their consent, through a third-party app that collected user data.

The allegation is that the data was used to create psychographic profiles of voters. These profiles were then used to target individuals with specific political ads and messages, aimed at influencing their voting behaviour during the 2016 US presidential election in favour of Donald Trump.

The Facebook-Cambridge Analytica scandal highlights how a breach with non-financial motivations can still be extremely impactful.

The scandal led to investigations, fines, and changes in data privacy regulations, as well as increased scrutiny of Facebook's data collection practices.

The societal cost of a cyber-attack

The damage a cyber-attack can cause has the potential to extend far beyond the immediate victim or company. Take the WannaCry ransomware attack in May 2017 for example. This attack affected over 300,000 computers across 150 countries.

The attack exploited a vulnerability in Microsoft's Windows operating system, which was identified by the US National Security Agency (NSA) and was subsequently leaked by a group of hackers known as Shadow Brokers.

The attackers demanded a ransom of $300 in Bitcoin per infected computer, which was later increased to $600, with the threat of permanently locking the victim's files if the ransom was not paid within a certain timeframe. Here is an in-depth breakdown compiled by the US Government Cybersecurity & Infrastructure Security Agency (CISA).

Screenshot of the wannacry ransomeware message

Critical infrastructure systems were heavily impacted which translated to people across the globe being negatively affected. Here are a few examples of how:

  • Healthcare: Many hospitals running outdated versions of Windows were infected. widespread disruption, as hospitals were forced to cancel surgeries and appointments, and turn away patients.
  • Transportation: The ransomware attack also impacted transportation systems, as several train and metro systems were affected. From railway station displays in Germany to mobile phone outages in Russia.
  • Energy: Utility companies were unable to bill customers or respond to requests during the attack causing disruption and supply issues for consumers.
  • Financial services: Banks across the globe were impacted as the malware disrupted ATM machines and caused financial services to become temporarily unavailable. .

How can an organisation reduce the cost of a cyber-attack?

  1. The age-old adage, prevention is better than a cure, rings especially true for cyber security. Preventing a cyber-attack usually entails security measures such as firewalls, antivirus software, and employee training programs. While there are costs associated with implementing these measures, it is generally much lower than the cost of dealing with the fallout from a successful cyber-attack, which can include lost revenue, harm to customers and clients, legal fees, reputational damage, and the financial burden of implementing new security measures to prevent future attacks.
    CanIPhish offers comprehensive employee training at a fraction of the cost of a security breach. Best of all, you can get started for free!
  2. Having an Incident Response (IR) plan is a must. Regular testing of the plan can help to proactively uncover weaknesses in your cybersecurity and reinforce your defences. In the previously mentioned IBM data breach report, companies with comprehensive IR plans saw USD 2.66 million in savings compared to breaches at organisations without IR plans.
  3. Consider a zero-trust policy for your organisation. The idea of a zero-trust policy assumes no user or device within or outside of your organisation can be trusted by default. This means that all users and devices are treated as potential threats and must continuously verify their identity and follow strict access controls before being granted access to sensitive data or resources.


The bottom line is this: cyber-attacks are costing more, becoming more prevalent and they're not going away anytime soon. But don't despair – there are things you can do to protect your organisation and minimise the risk of a cyber-attack.

The good news is that by investing in prevention and mitigation measures, including regular cybersecurity training, incident response planning, and adopting a zero-trust policy, organisations can significantly reduce their risk of a cyber-attack and avoid the potentially devastating financial and reputational consequences that come with it.

Remember, no matter the size of your business, cybersecurity should always be a top priority. So, stay vigilant, stay safe, and don't let the bad guys win!

Gareth Shelwell author profile photo
Written by

Gareth Shelwell

An Ops Manager dedicated to helping you safely swim amongst the internet of phish!