Estimates vary, but some reports cite the average cost to a business of a cyberattack as somewhere in the region of $2.4 million. That's small change for the likes of Google and Amazon, but enough to put most firms out of business.
Yet, the cost might not just be limited to the damage done by hackers alone. It's now just over a year since the introduction of the GDPR (General Data Protection Regulation) by the EU, and businesses are shaken by the potential size of any fines that could be handed down for breaching those terms.
Most people see the GDPR in action every day. It's part of those "Your privacy is important to us" pop-ups you will click on without thinking about when you visit a website. The regulation touches all aspects of online life, yet, for businesses, it acts as a huge warning to protect customers data at all costs.
EU can now issue huge fines
In a nutshell, if a business experiences a data breach, the EU can hand down a massive fine relative to the size of the company and its revenues. Forbes ran a retrospective piece which estimated what the fines would have been for the biggest data breaches in history, and it came up with figures like up to $160 million for the 2013-14 data breach at Yahoo.
The GDPR is not designed to punish companies for experience a cyberattack, but instead ensure that companies prepare properly for them, and react appropriately to them. It's made cybersecurity stocks an intriguing investment, because companies are being pushed to implement the most sophisticated software systems to prevent any data breaches.
Indeed, cyberattacks are so commonplace nowadays that they have barely become newsworthy. In May 2019, the city of Baltimore experienced a ransomware attack on its local government computer system. As of mid-June, they are still not fully operational, with a projected cost of around $18 million. Elsewhere, insurance company, Hiscox, estimated that UK small businesses were experiencing 65,000 cyberattacks per day in 2018.
Hackers can do a lot with little pieces of data
Is it right, then, that the EU has the power to hand down fines of up to 4% of a company's global turnover if they are seen to in breach of the GDPR? It might seem draconian, and it might once again be framed as a continuation of the EU's battle with big tech, but it is also the case that companies were playing Russian roulette with our data for years.
What's most worrying is what a hacker can do with scant information. Most of us wouldn't know where to begin with using an address, phone number of D.O.B for nefarious purposes, but hackers tend to use it as a base to gather more information and go from there. Bitcoin owners are particularly attractive as the transactions are not able to be reversed.
In the end, there must be some sort of 'stick' to ensure businesses keep our data safe. Critics can talk about overregulation and overzealous fines, but online privacy continues to be one of the most important topics of our times. Most of us don't take it seriously enough, so the EU might just have to be the adult in the room.