The actual cost of a data breach is significantly more than the damages reported in news stories.
We’ve all read those headlines detailing a recent data breach and the subsequent million-dollar lawsuits. It’s true that data breaches consist of direct, easily measurable costs such as fines or lawsuits regarding stolen information. However, there are indirect costs as well, such as reputational damage, that can impact your company’s bottom line for years.
Considering that the global average cost of a data breach exceeded $4 million for the first time in 2021, the aftermath can absolutely devastate a business.
The data and assets you rely on to maintain operations are valuable and must be secured. There are many ways to reduce the impact (more on that later), but let’s first look at how the costs of a data breach tally up in 2022.
Breaking down the cost of a data breach
Incident response and recovery
As soon as you discover a compromise, you need to respond immediately to minimize the damage.
The initial response costs can skyrocket as you:
- Quarantine compromised hardware and software
- Analyze activity logs
- Document the findings
- Fix the vulnerability (or vulnerabilities) that caused the breach
- Repair or replace infected systems
- Implement security improvements
Each step in your initial data breach response can take days, weeks, or even months. It’s a long process that needs to be done right, meaning you may need to hire an experienced incident response team for the job. Getting experts in fast can prevent further data loss, reducing the overall cost of a breach.
Compromised customer data
A customer’s personally identifiable information (PII) is the most expensive and frequently compromised data in a breach.
PII is valuable to threat actors because it can provide enough detail to apply for loans, credit cards, or even passports in the victim’s name. It’s also a means for the attacker to extort the victims for money or gain access to their online accounts.
Compromised customer records drastically increase the cost of a data breach. T-Mobile, a wireless network operator in the United States, suffered a massive data breach in 2021. The attack exposed the full names, birthdates, social security numbers, driver’s license numbers, and other PII of more than 40 million former or prospective customers and 8 million current T-Mobile customers. Since then, over 50 lawsuits have been filed against the organization.
The media tends to focus on customer data during a breach but losing intellectual property (IP) can devastate company growth. IP can constitute 90% of a company’s value, which explains the appeal of paying cyber crime groups to steal and hand over a competitor’s IP.
Stolen trademarks, patents, copyrights, and trade secrets can threaten a company’s future. Imagine investing years perfecting a product, only to have the source code stolen and auctioned off.
Ransom demands
Ransomware significantly adds to the cost of a cyber security data breach—tacking on an average of nearly $150,000.
Despite officials pleading with companies to disregard hacker demands, 53% of ransomware victims opted to pay a ransom in exchange for their data.
This high statistic is likely because attackers do their homework. Cyber criminals research their targets’ financials—they look at the company’s assets and financial reports to determine the highest ransom they can pay.
It makes sense; it wouldn’t be strategic to demand $48 million from a small organization, but a $100,000 ransom might work.
Companies often agree to pay a ransom because it costs less than the operational downtime, reputational harm, and non-compliance fees of a publicly disclosed data breach. But obliging a criminal’s demands to avoid extensive repercussions isn’t always a fair transaction.
“Ransomware significantly adds to the cost of a cyber security data breach—tacking on an average of nearly $150,000.”
Consider the 2016 data breach involving ridesharing company Uber. A hacker compromised the PII of nearly 60 million employees and customers.
Instead of disclosing the breach immediately, Uber paid the cyber criminal $100,000 to delete the data and keep quiet.
Information about the breach leaked anyway, resulting in a $148 million settlement on top of other damages.
Lost business and reputation damage
We asked our connections on LinkedIn what concerned them most about experiencing a data breach. Almost 40% said reputation damage was their biggest worry, followed by cost, system damage, and downtime.
Their concerns are well-founded.
A data breach will inevitably damage your reputation and negatively affect your ability to acquire and maintain business. In fact, lost business is the most expensive aspect of a cyber security data breach for many victims—accounting for nearly 40% of the average total cost.
Imagine an online retailer has just experienced a breach affecting its website and customer data. In this situation, “lost business” costs may include:
- Missed sales due to system downtime
- Cancelled contracts with third parties or other business partners
- Activities to minimize customer loss (e.g., hosting a customer appreciation sale)
- Lost customers due to reputation damage
- Higher costs to acquire new customers (e.g., additional marketing campaigns)
Studies confirm that public perception changes drastically after an incident—62% of Americans and 44% of Brits admitted they would stop buying from a brand for several months following an attack.
“62% of Americans and 44% of Brits admitted they would stop buying from a brand for several months following an attack.”
And while it’s possible to win back customers after a data breach, that also comes at a cost. After a breach, customers prefer compensation, a detailed explanation of what happened, and proof that proper security controls are in place, according to PWC research.
Legal and non-compliance penalties
Like every other cost associated with a data breach, legal and regulatory penalties vary depending on several factors. The size of the breach, types of data stolen, your industry or geographical location, and initial incident response
Your legal situation may need only 50 attorney hours or thousands. You may need to bring in a crisis communications team to speak to stakeholders, affected customers, and the public.
Depending on the extent of the damage, you may need to enlist a PR firm for long-term support. You may face individual lawsuits or major class action proceedings.
Highly regulated industries, such as healthcare and financial services, will pay more non-compliance fines than others. Healthcare data breaches are far more expensive than the average breach, and that’s likely due to the industry’s extensive data privacy policies.
Those in highly regulated countries will also see higher penalties. Canadian organizations may be fined up to $100,000 (CAD) under the Personal Information Protection and Electronic Documents Act (PIPEDA), with similar fines for European Union (EU) members governed by the General Data Protection Regulation (GDPR).
How to reduce the impact of a data breach
Every business has something a threat actor wants—IP, financial credentials, customer PII, or third-party supplier data. Breaches are becoming less a matter of “if” and more a matter of “when,” even for the smallest of businesses.
However, there are steps you can take that both lower the chances of a breach happening and lower the damage that occurs if one does.
Raise awareness company wide
It’s true that some breaches are purposeful and malicious, like when a competitor knowingly targets your business to steal confidential corporate data or when a former disgruntled employee uses their old accounts to steal financial information.
Other times, however, breaches are unintentional. For example, an employee sends a report with confidential customer data to the wrong email address. Or an employee clicks on a link in a phishing email and unknowingly runs a file containing malware.
Cyber security is a shared responsibility. Cyber criminals sometimes focus on targeting people and accounts instead of systems, making employees a critical part of your company’s defense.
Educate employees on common attack tactics, techniques, and procedures, so they are better equipped to identify when they’re being targeted. Also, make sure employees know about and are following cyber security best practices, including using strong passwords and multi-factor authentication.
Reduce the threat surface
Your company’s threat surface consists of people and accounts, software, hardware, cloud-based services—basically anything an attacker can exploit. By understanding and reducing your threat surface, you’re also reducing attack opportunities for a cyber criminal.
Look to correct things like misconfigured software that might be leaving you vulnerable. Delete old accounts belonging to former employees, and ensure that current employees only have access to the data and systems necessary to carry out their usual tasks.
Keep all your software patched (running the most recent version). Patching can be tedious and time-consuming—sometimes requiring a reboot to complete—and it often feels like there’s a new update every other day. But patching is critical. New versions fix bugs, add new features, improve performance, and address security vulnerabilities.
Create and Maintain data backups
A data backup is basically a copy of data that can be recovered later. There are many approaches to data backups—an external hard drive, using self-serve cloud storage, or working with a backup provider.
Every backup solution has its advantages and disadvantages. Take the time to select an approach based on your company’s unique needs; for example, saving business-critical data to an external hard drive might not make sense for remote-only organizations or for those without IT professionals.
Backups are a critical component of a recovery plan, making it easy to retrieve essential files after an attack or other event that compromised your data. Should an incident occur and limit access to critical files, having a reliable backup expedites recovery and gets you back to business faster.
Be prepared for an incident
There’s a growing divide in total breach costs between organizations prepared for an incident and those that are not.
Effective IR planning is vital: the longer it takes a company to respond to a breach, the more costly it can be. After detecting an attack, how fast you respond may mean the difference between continued business and closing your doors.
An IR plan will typically include:
- An overview of objectives and scope
- Scenarios and incident examples
- Roles and responsibilities
- The incident response steps
There are IR plan templates and guidelines available, but creating your own is time-consuming and may be out of scope for many smaller businesses.
It’s often easier to invest in an incident response (IR) preparedness service, where you can work with experts to assess your company’s cyber security posture and develop a customized plan to lower the impacts of an incident.
Increase your visibility
It takes, on average, about 280 days to detect and contain a breach. To put that into perspective, that’s like saying an attacker gained initial access to your systems in early January and stayed until mid-October of that same year.
Why does it take so long to detect and contain breaches? It might be because many organizations don’t have the right level of visibility of their network, cloud-based services, and endpoints. Companies often stitch together numerous cyber security tools—a firewall, antivirus, maybe even an email filtering tool—to try to create a unified defense. The result, instead, is usually a defense filled with gaps and limited visibility.
Secure Shield, our holistic cyber security solution, detects and responds to threats and vulnerabilities across your network, cloud-based services, and endpoints. And with automatic blocking against major cyber threats like ransomware and advanced persistent threats (APTs), you can sleep soundly knowing your cyber security is handled.
Other costs you should know about
Taking these steps now will reduce the cost of a future data breach, potentially saving your business from months or years of recovery. Remember, a data breach is more expensive than investing in proper cyber security measures.
Looking for more information on this or other security topics? Contact us at cybersecurity@secureits.ca or visit secureits.ca
* * * * * *
Lyle Melnychuk is President and CEO of Secure IT Systems, an IT and security consulting firm specializing in cybersecurity consulting, cloud migration and business continuity solutions. For questions about how SIT can help your company be better prepared, contact lyle@secureits.ca or visit our website at www.secureits.ca