What is the True Cost of a Data Breach?

Mar 13th 2017

Right now, there are probably few things that should be more worrisome to most businesses than the prospect of being targeted for a major data breach or other cyber-crime going after their records. It's a calamity which, in terms of monetary damage, an easily be on par with -or even exceed- natural disasters such as tornadoes or hurricanes. 

According to one recent study, it's now become the second most-common form of economic crime. And that's only going by the reported cases. While it's impossible to say for certain, it's entirely possible that between businesses that manage to successfully cover up intrusions and those who are simply unaware of an ongoing intrusion for years, it's even more commonplace than numbers can prove.

This is something no businesses, even small operations and startups, can afford to ignore. The costs of even a single data breach can be truly ruinous. So we wanted to take a look at the true cost of a data breach overall, as well as the major contributing factors, along with what (few) mitigation strategies are available.

How Much Could A Data Breach Cost You?

This is an extremely difficult question to answer precisely, because it depends on a wide range of factors including both the number and type of records breached, the costs of "cleanup," and the long-term impact on the business's reputation.

However, there have been attempts to find some rough averages, and they aren't good. Probably the most credible is a recent IBM study which put the costs at $4 million in total, with an average cost of $221 per record compromised. And that's only talking about relatively small scale breaches, with "only" tens of thousands of records compromised. If you're talking about the sorts of high-profile major attacks global companies like Sony, Target, and Yahoo have suffered, the costs easily soar into eight- or nine-figure price tags.

So that's not a $4m loss for the big players. That $4 million you could easily be on the hook for, in the case of a data breach. Needless to say, that's an amount that could easily ruin an SMB.

Where Do The Costs Come From?

As we mentioned above, there are a lot of factors at play here which ultimately affect the long-term costs. These are the biggest determinants of the overall price tag:

  • The number of records affected, obviously.
  • The types of records affected. The less public the information, the more costly it becomes. Losing a list of email addresses isn't a big deal. Losing tens of thousands of social security
    numbers is. Losing credit or medical records could be ruinous.
  • The effect on day-to-day business. If a breach also takes servers offline, it can severely impact or outright prevent business from being conducted for a significant amount of time.
  • The actual cause of the breach. Those involving third parties (like outsourced data centers) are generally the most expensive, because it can create long and painful legal actions to determine actual responsibility, as well as necessitating major shifts in business plans away from the third-parties involved.
  • Any direct theft. Ambitious hackers may attempt to gain access to your bank accounts or other sources of capital, on top of trying to obtain records.
  • Costs of fixing the root problem. If the breach was entirely local, that will undoubtedly mean major new investments into hardware, security software, and very likely expert security talent to prevent it happening again.
  • Legal costs, from outright regulatory penalties to the costs associated with the legal investigation into the culprits. Not to mention the potential for expensive class-action lawsuits.
  • Loss of public confidence, which can easily tank sales or stock prices, affecting a company's value for the long-term.
  • Disrupted business plans, such as worst-case scenarios where a data breach endangers plans for takeovers or mergers.

This is the truly insidious thing about cybercrime. If your company is hit by a tornado or other "act of god," very few people will hold it against you. Such things just happen, as they say. Furthermore, once you've made the appropriate infrastructure repairs, the damage has basically been contained. But if you're hit by a cybercrime, you will take a major hit in the public eye, and the costs could continue to mount for years into the future.

Speaking of natural disasters...

Isn't There Insurance?

Yes, but...

Cybercrime insurance has started to become a concern, with some insurance companies beginning to branch out into such areas. However, according to NPR, as of 2015 only about 20% of businesses have invested in it. Many companies, it seems, mistakenly believe themselves to be covered against cybercrimes when they are not in reality.

Further, there are issues in the market. Many insurers - especially the big names - are understandably reluctant to jump into such a volatile and unpredictable field of coverage. Actuarial tables on matters like life and health insurance are based on literal centuries of data. Cybercrime figures have maybe 20-30 years of numbers, and not very reliable numbers at that.

Some companies offering cybercrime insurance have extremely limited policies, full of loopholes, that may be nearly worthless in the case of an actual attack. Others may not have the financial backing to handle a major payout. And those who truly are offering robust coverage with the funding to back it up are asking extremely high prices, due to the risks they're under.

And just making things worse...

The World Governments Cannot Cope With The Problem

Don't expect the government to help you. The vast majority of cybercrime cases go completely unsolved, especially since estimates are that at least 70% cross international borders. Likewise, according to the UN, between 33-50% of countries don't even have sufficient laws covering cybercrime. On top of that, there are a staggering number of ways to launder money online these days, particularly with the rise of largely untraceable cyber-currencies like Bitcoin.

Basically, if you've been hacked by someone in the developing world, there's nothing that can be done about it. They won't be caught. Even if they're in a country with advanced legal protections against cybercrime, the chances of actual restitution are very slim.

If this all sounds grim, well, it is. And cyber-criminals are becoming increasingly bold thanks to it, as evidenced by the stunning rise in "ransomware" schemes in the past two years. Nowadays, it's often more effective for criminals to breach a company and use direct coercion to get payouts, rather than stealing records for themselves.

Protect Yourself, Because No One Else Will

If you can afford cybercrime insurance and find a good policy, it's a good "safety net"... but it's not a permanent solution. Nor is "security through obscurity" a sufficient protection for small businesses and startups. Ransomware can target even the smallest of companies. There is simply no substitute for good internal security and good training of your staff in proper handling of data.

You are your own first line of defense, and often your only line of defense.

These are challenging times, given how reliant nearly all businesses have become on electronic record-keeping. Few expenditures can be more important to the future of your business than keeping that data safe.

For more information, or a security review, please contact Network Products for Advice.

google-site-verification: google17b8657f319776c0.html