The Financial Impact of Spear Phishing

A business that experiences a serious security incident will inevitably feel a negative effect on its brand. Discussions of brand-related business impacts tend to be general, though. A high-profile breach triggered by spear phishing will be judged “bad for the brand,” but what does that mean? What is the actual cost of the brand damage? While it’s a highly subjective issue, this article will look at ways to quantify the financial impact of a spear phishing attack on a company’s brand.

Spear phishing is a hacking technique that penetrates an organization’s systems and data by using deceptive email messages with specific references to people and projects whom the recipients know. An email from a “colleague” turns out to be fake, allowing the attacker to steal login credentials for confidential systems or inflict other mischief. It works. An estimated 91% of hacking attacks start with phishing or spear phishing.

An Intangible but Very Valuable Asset

Brands are often perceived as intangible assets. They are. You can’t put them in a box or build one out of steel. Yet, brands are inherently financial in nature. A strong brand translates into higher market valuation and lower investments in marketing. It takes money to get customers and channel partners to take a weak brand seriously. Recovering from a brand-weakening spear phishing attack requires specific remediation steps, such as public relations, market research and advertising. All of these result in unplanned spending to repair the brand.

An Example

To illustrate the financial brand impact of spear phishing, consider the case of a hypothetical producer of organic foods that sells its products through supermarkets. A spear phishing attack leads to the theft of the company’s rewards club membership list, which contains personally identifiable information for hundreds of thousands of people who had enough respect for the brand to enroll.

 “Before”: Baseline Financials

To estimate the financial impact of the spear phishing attack on the company’s brand, we need to start with some baseline financials. The table shows a simplified income statement for the company before the attack.

Cost of Goods Sold (COGS) is 45% of revenue. Channel incentives, such as co-op advertising, in-store promotions and “shelf slotting fees” account for 5% or revenue. The resulting gross margin is 50% of revenue.

Advertising is 20%, while General & Administrative (G&A) is 5%. Pretax earnings come in at 25% of revenue, or $75 million. Net income is 40% of pretax income, or $30 million. With the company’s stock trading at a 15X price-to-earnings ratio, the company has a market capitalization of $450 million.