The Financial Impact of Spear Phishing
A business that experiences a serious security incident will inevitably feel a negative effect on its brand. Discussions of brand-related business impacts tend to be general, though. A high-profile breach triggered by spear phishing will be judged “bad for the brand,” but what does that mean? What is the actual cost of the brand damage? While it’s a highly subjective issue, this article will look at ways to quantify the financial impact of a spear phishing attack on a company’s brand.
Spear phishing is a hacking technique that penetrates an organization’s systems and data by using deceptive email messages with specific references to people and projects whom the recipients know. An email from a “colleague” turns out to be fake, allowing the attacker to steal login credentials for confidential systems or inflict other mischief. It works. An estimated 91% of hacking attacks start with phishing or spear phishing.
An Intangible but Very Valuable Asset
Brands are often perceived as intangible assets. They are. You can’t put them in a box or build one out of steel. Yet, brands are inherently financial in nature. A strong brand translates into higher market valuation and lower investments in marketing. It takes money to get customers and channel partners to take a weak brand seriously. Recovering from a brand-weakening spear phishing attack requires specific remediation steps, such as public relations, market research and advertising. All of these result in unplanned spending to repair the brand.
To illustrate the financial brand impact of spear phishing, consider the case of a hypothetical producer of organic foods that sells its products through supermarkets. A spear phishing attack leads to the theft of the company’s rewards club membership list, which contains personally identifiable information for hundreds of thousands of people who had enough respect for the brand to enroll.
“Before”: Baseline Financials
To estimate the financial impact of the spear phishing attack on the company’s brand, we need to start with some baseline financials. The table shows a simplified income statement for the company before the attack.
Cost of Goods Sold (COGS) is 45% of revenue. Channel incentives, such as co-op advertising, in-store promotions and “shelf slotting fees” account for 5% or revenue. The resulting gross margin is 50% of revenue.
Advertising is 20%, while General & Administrative (G&A) is 5%. Pretax earnings come in at 25% of revenue, or $75 million. Net income is 40% of pretax income, or $30 million. With the company’s stock trading at a 15X price-to-earnings ratio, the company has a market capitalization of $450 million.
“After”: The Costs of Remediating the Attack on the Brand
Brand repair usually means more spending on public relations and advertising. How much will, of course, depend on the severity of the brand damage. It won’t be cheap, though, if it’s done right. The figures shown in the table are rough estimates but they capture what can be involved in investing in the subjective art of media management. The company’s PR firm puts two additional staffers on the brand repair project for 6 months at $200 per hour. That’s a $500,000 cost.
A market research project undertakes the extremely tricky task of figuring out how a new message and advertising campaign can bring the brand back from its place of damage. Doing an ad campaign that looks cynical or insincere can actually hurt the brand more, so research is needed to gauge customers’ real opinions in depth. This is another $500,000 outlay. The advertising campaign itself seeks to reach 25 million people who live in areas where the product is sold. The goal is to reach this audience four times on primetime network television, where the “Cost per Thousand” (CPM) for an ad is $43. Running the ads costs the company $5.375 million.
Channel incentives will likely increase when a brand takes a hit. A popular brand is a plus for a supermarket. A damaged brand needs help staying on the shelves. Extra co-op advertising, more coupons that cut margins and increased fees for “slotting” and in-store promotions cause the channel incentive cost to rise from 5% of revenue to 6%.
The Total Impact
The total out of pocket costs are $6,375,000, but that’s not the real cost of the brand damage from spear phishing. The table show shows the before and after income statements. Assuming a 1% drop in revenue from the incident as a few customers stop buying the brand, revenue drops to $297 million. Cost of goods remains the same, but higher channel incentives brings gross profit down to 49%. Higher G&A and advertising costs shrink net income from 10% of revenue to 9%. The “After” net income is $4.338 million. However, this figure doesn’t tell the whole story.
The dip in earnings sends the stock price lower. Trading at 15X, the stock falls from $9 per share to $7.70, wiping out $65 million in market capitalization. That’s going to hurt, but it is a realistic cost of brand damage from spear phishing that results in a serious security incident. The stock may recover, but no company wants to go through a drop in value like that. A lot of executive bonuses are riding on that share price.
This model also assumes that the damage can be repaired. Often, it can, but there are plenty of situations where security breaches cause irreversible brand damage. In this case, if the organic food CEO called vegans “kooks and phonies” (even jokingly) in a leaked email, the brand could take a long time to recover, if it ever did. Certainly, the CEO would be looking for a new job. The CIO might also be at risk.
Defending Against Spear Phishing Attacks
Protecting a business from spear phishing is challenging, as many existing email spam filters and anti-malware tools don’t work with a spear phishing email. Vade Secure offers a solution. Its unique defense against spear phishing attacks can be layered on top of existing anti-spam solutions to provide better overall email protection. The solution takes advantage of Heuristic Email Filtering with artificial intelligence, which has been trained to spot spear phishing messages based on learning from monitoring hundreds of millions of emails over a decade.
Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.