The potential losses from a global cybersecurity incident targeting cloud providers are great, but the companies that plan now will be the ones that emerge victorious.

You cannot rely on good PR alone as a disaster recovery plan. Hire an expert to do for you what many others will neglect in the technical testing arena.

Insurance company Lloyd’s of London recently released a study estimating the cost of a hypothetical, global-scale cyberattack on cloud service providers at $53 billion, a number comparable to what was spent on recovery efforts after Superstorm Sandy.

Equifax logo
Equifax's moves after its breach diluted confidence in the company, according to Timothy Crosby, senior security consultant for Spohn Security Solutions. Bloomberg News

The losses from this type of attack are calculated from multiple perspectives to come up with a reasonable number. There is the loss of time, equipment, brand reputation and investor confidence. But, the biggest hit comes from the billions of hours of lost productivity in the time spent recovering and recreating data, replacing lost sales opportunities, isolating infected systems and performing remediation efforts.

Though some equipment and recovery costs may be passed on to consumers if confidence in the brand is not completely lost, the business that survives will most likely never be the same again.

One strategy implemented by the victims of a cyberattack is to hire a crisis PR firm. Their job is to try to convince the public that, even though a mistake was made, those affected will be compensated and the source of the problem is no longer an issue.

Best-case scenario, the personal impact to the customer is minimal, the info being fed them by the PR company is believable, and they forgive and forget. If not successful, the situation can become worse.

Equifax, for example, bungled its chance by asking for personal information to determine if a user was affected and then issuing a predictable PIN code to those who requested a credit lock. Those miscommunications in PR did not increase confidence that Equifax understood the basics of cybersecurity and personal privacy protection. The company would have been better off owning the issue, correcting it and compensating everyone affected.

All companies with external facing connections (connected to the internet) need an extensive external security assessment with follow-up action on the results. If they have an internet-facing website or web application, they need to get an intensive web application assessment performed from a reputable outside firm/agency.

Internally, the first step in any data security or business continuity plan is to identify and classify all data and critical applications. This is needed so that continuity and security countermeasures can be applied in an emergency. Once you've done that, perform backups of critical data and applications, storing a copy off-site.

What specifically needs securing, where security features should be applied, and to what degree you should implement security countermeasures can only be determined by a detailed risk assessment.