The size and cost of data breaches are increasing rapidly. IBM Security sponsored Ponemon Institute to conduct a study, Cost of a Data Breach Report*, which was published in July 2018. According to the IBM study, since 2017, the average total cost of a data breach increased by 6.4 percent and the average size of a data breach (meaning the number of records lost/stolen) increased by 2.2 percent. The average global data breach costs $3.86 million; the highest global average is by US companies coming in at an average of $7.91 million. By mid-2018, the cost per lost or stolen record was $148.
Total cost is different for every breach depending on type, size, and timeline, but there are common categories of costs that apply to all. Not all costs are visible from a glance. We wanted to know what really goes into the total cost of a data breach; this article is the result. Take a quick look as we break down the likely costs, both direct and indirect, of a data breach in 2019. Buckle up, it’s a bumpy ride.
For your information, data breach cost information has been organized into four categories:
- Detection and escalation
- Post-data breach response
- Lost business
Dollar amounts are not given as it is different for each breach and dependent on many variables including type, size, timeline, etc. However, please consider the possible applications to your circumstance and recognize the vast reach a breach could have on your organization. It’s not a matter of if, but of when. We want you to understand, prepare, prevent, and have as minimal damage as possible. Here we go!
Detection and Escalation
Crisis team management. What happens when an organization is attacked? Plan and prepare for security crises. This cost is much more of a pre-breach step that will cost dearly if not created before a breach occurs. As aforementioned, security breaches are not a matter of if, but of when. Have an incident response team? You should. Organizations with incident response teams reduced the cost by as much as $14 per compromised record (IBM, 2018). Even with an equipped internal team, serious situations often require outside consulting, such as FireEye, and are very expensive.
Forensic and investigative activities. As soon as a breach is detected, an organization delves into forensics to determine what happened during a cyber incident and who was responsible. The goal is to stop the spread of leaked information and limit impact. This stage involves digital forensics, malware and threat analysis (Deloitte, 2016). Depending on the attack vectors used, a larger network compromise might be found and result in expensive threat hunting to identify all affected assets.
Assessment and audit services. Assessments are worth the investment, especially after a breach. Understanding and finding weaknesses in a system can help prevent further network abuse and a future breach. The likelihood of a recurring material breach over the next two years is 27.9% (IBM, 2018). Costs associated with assessments and audits include fines or fees due as a result of non-compliance with federal or state cyber breach related laws/industry regulations the company may be subject to (Deloitte, 2016). Following a breach, audits and compliance will be required. Higher skill assessments may also be implemented but not required. Higher skill assessments help harden security and ensure another breach doesn’t occur in the same manner.
Communications. Public relations work and communication about the breach is vital, and often costly. A good PR team can help manage external communications, somewhat repair brand image, and provide media and brand monitoring following an incident (Deloitte, 2016). Communicating with the public is often embarrassing but can save a lot of pain and dollars in the long run. Trying to cover up a breach is a terrible idea. Our advice: rip it off like a Band-Aid and let it heal in the open.
Time. On average, it takes 196 days to identify a data breach (IBM, 2018). However, it only takes minutes for most attackers to compromise an organization. 68 percent of breaches took months or longer to discover (Verizon, 2018). The sooner the detection, the less it will cost. Time really is money when it comes to data breaches.
Notification costs are all costs associated with informing and advising individuals whose data was compromised. State and/or federal law and industry regulations mandate specific notification procedures and policies. Notification includes: printing, mailing, call center services (Deloitte, 2016). Informing clients, customers, and stakeholders is vital. Communicate openly, effectively, and in a timely manner to avoid further time and cost.
Post-Data Breach Response
Help Desk. Customers, clients, and stakeholders will have questions. Account information will be demanded. Staffing a customer information and service help desk can help with the personnel repair as systems teams take care of technical repair. Inbound communications help should also be considered in direct costs.
New accounts. Time, resources, and personnel are often needed to reset passwords or issue new accounts. Costs in this category can include forcing account resets and asking for additional validation when assisting customers.
Legal. When it comes to legal costs, it can get spendy really quickly. There is a wide range of legal advisory fees and settlement costs. These fees are often externally imposed and can include costs associated with legal actions by the company to defend its interests. Legal fees and settlement costs for individual breaches and the damages associated vary, but are often very hefty. A sad fact: recovery could take years and may not be ultimately recoverable, even after a positive verdict in favor of the company (Deloitte, 2016).
Product Discounts. Damaged reputation can lead to a sense of damaged product or service. Organizations can offer products or services at a discount as a means to repair and repent for a security breach. Discounted products can add significantly to the total cost of a breach.
Identity protection services. Customer data protection post-breach can be a challenge, and a major expense. Expenditures associated with the detection and protection against potential efforts to use an individual’s compromised personal data for unauthorized purposes following a breach can be hefty (Deloitte, 2016). Most organizations may not be affected as the content being stored may not be related to identity protection.
Regulatory interventions. A data breach could cause the prohibition of doing business within a certain country. Required audit reporting and fines for regulation violations can add up quickly. GDPR violations alone can add up to $4 million, or a more significant portion of business revenue.
To help with regulations, we recommend using a comprehensive compliance framework like Defensix. It has a handy module for governance, risk, and compliance (GRC) that streamlines compliance controls and helps organizations orchestrate all of their GRC needs.
Cybersecurity improvements. Following a breach, improvements are necessary. Improvements can include technical upgrades and patches to the infrastructure, security controls, monitoring capabilities, or surrounding processes. Costs include all efforts to recover business operations after an incident or to prevent a similar occurrence in the future (Deloitte, 2016).
Insurance premium increases. Expect insurance rates to increase following a breach. Purchasing or adjusting insurance policies following a breach can be costly (Deloitte, 2016).
Increase cost to raise debt. Organizations are higher-risk borrowers during months following cyber incidents. As such, organizations face higher interest rates for borrowed capital due to a drop in credit rating (Deloitte, 2016).
Impact of operation disruption or destruction. This category is highly variable and specific to each situation. It includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities. According to Deloitte, it includes costs “to repair equipment and facilities, to build temporary infrastructure, to divert resources from one part of the business to another, to increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It also includes losses associated with inability to deliver goods or services” (Deloitte, 2016).
Value of lost contract revenue. Though very hard to quantify, a major cost is loss of revenue and ultimate income loss. The loss of future opportunity associated with contracts that are terminated as a result of a cyber incident can be devastating.
Devaluation of trade name. This category is the intangible cost referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. To determine the devaluation, an estimate value of trade name before and after the cyber incident needs to be assessed (Deloitte, 2016).
Loss of intellectual property. Another intangible cost includes loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information. Unfortunately, these costs often lead to loss of competitive advantage, loss of revenue, lasting and potentially irreparable economic damage. Patents, designs, copyrights, trademarks, and trade secrets are included in this category (Deloitte, 2016).
Lost value of customer relationships. Sentimentality aside, relationships have monetary value for organizations. After a data breach, each customer or member is given a value to quantify how much a business must invest to acquire that customer/member. These costs include the likely revenue that one customer will generate for the business over time. Customer relationship value can be evaluated per industry or organization (Deloitte, 2016).
Recommendations to Reduce Costs
“Practice does not make perfect. Only perfect practice makes perfect,” said Vince Lombardi, football legend and wise man.
Why are companies falling short when it comes to data security? We believe it is caused by practice of testing from an audit perspective – meaning preparing and protecting against auditors – and not against real-world attackers. In order to prepare and prevent data breaches, we recommend the following real-world approaches to security maturity.
- Identify top risks. Determine the top risk areas and assets. These areas could include processes or activities of high value such as data sets, computer systems, control devices or other digital assets. Conduct assessments to find weaknesses and top priorities. Silent Break Security can help you out here with any type of sophisticated adversary testing. Identifying realistic, direct, and intangible impacts on an organization can help prioritize where efforts and investments should be made.
- Build a realistic budget and invest. Once priorities are determined, make the sacrifices necessary to invest where it matters most. No organization can cover everything. Model realistic scenarios and invest in risk-focused services and products.
- Create the dream team with the right tools. Assemble a team of experts who understand not only tech and regulations, but business strategy, products, revenue streams, operations, and cyber risk programs. As for tools, investing in proper, updated systems, infrastructure and software is well worth it. There are a lot of moving parts when it comes to compliance and security maturity. Many parts don’t seem very exciting or important until they are due to a data breach. They are annoying to keep track of but valuable to have. Defensix is exactly what an organization needs before, during, and after a breach. It streamlines and simplifies security. We’re happy to tell you more here.
Data breaches are real and happening faster than ever before. As another wise man said, “It is better to prepare and prevent, than to repair and repent.” Preparation and prevention may not be a cure, but they can lessen the blow from a data breach. You know why an organization needs to be ready. How an organization prepares and prevents can make all the difference.
*Disclaimer: This article is intended to be a conglomerate of studies to organize information in a digestible manner with added analysis and recommendations from Silent Break Security. The majority of data breach statistics and information has been gathered from recent studies by IBM/Ponemon Institute (2018), Verizon (2018), and Deloitte (2016). Silent Break Security has received written permission from the Ponemon Institute, who was sponsored by IBM Security to conduct the study, Cost of Data Breach Report, 2018. Silent Break Security does not claim rights to any of the cited/quoted information.