Weighing up costs and benefits has always been – and still is – a sensible and logical starting point to make important decisions in a company. So now that companies realise that the risk for data leaks continues to grow – IBM Security’s ‘Cost of a Data Breach Report 2019’ calculated that the odds of experiencing a data breach reaches up to an alarming 29,6% –, a new cost/benefit assessment needs to be made.
The point is of course that investing in security measures significantly lowers the chance of a data breach and reduces costs in the event that a data breach was to occur after all. But before going there, let’s take a look at the actual cost of a data breach first.
How is the cost of a data breach composed?
According to IBM Security’s report, the average cost of a data breach in 2019 – based on the input of 507 companies from around the world – is $ 3,92 million, a rise of 12% since 2014.
The average cost was calculated using the activity-based costing (ABC) method and consists of four process-related activities (numbers show cost percentage of $ 3,93 million):
- Detection and escalation costs (31,1%): assessment and audit services, crisis team management, …
- Post data breach response costs (27,3%): help desk activities, legal expenditures, regulatory fines, …
- Lost business costs (36%): reputation losses, cost of lost customers, …
When your organization is confronted with a data breach, you’ll want to close the leak first, which will probably result in IT-related costs. You also have to communicate quite intensively to several stakeholders during the entire process, and in some cases, you even might have to install a helpdesk to help out your customers. All this of course entails extra costs as well.
On top of that, your organization might also have to pay regulatory fines (SOx, GDPR, NIS, …) and legal costs. And last but not least, long tail costs – 22% of the total data breach cost has to be paid in the second year after the breach, and 11% during the following years – caused by the loss of customers, and a damaged reputation and goodwill make the total cost even higher.
Cost-increasing and cost mitigating factors
There are a number of factors that can positively or negatively influence the cost of a data breach. One of the biggest nominators is in the use of security solutions. Organizations that have not deployed automated security solutions – like analytics and automated incident response orchestration –, were faced with breach costs that were 95% (!) higher compared with organizations with fully-deployed automation.
Statistics can provide you with much valuable insights – especially if a trustworthy source like IBM Security is involved – but real world cases make it all just a little more tangible. All cases underneath are based on news items that were published within a single month (!). This clearly shows that data breaches have become an everyday reality.
The costs that are mentioned in these cases are a lot higher than the $ 3,92 million average from IBM Security’s report, but that is because only larger data breaches tend to appear in the press…
Hydro, a Norwegian company that is one of the worlds’ largest aluminium producers, so far lost an estimated € 62 million as a result of a ‘LockerGoga’ ransomware infection in 2019. Granted, a ransomware infection is not a textbook data breach, but the two are closely related and both are the result of losing control over data.
Asco, a Belgian company that builds parts for Airbus and Boeing, as well as for military aircraft like the Lockheed Martin F-35, was also attacked with ransomware. This paralysed virtually all activities in the company for more than a month, turning around 1.500 staff members into technically unemployment. At the time of the attack, Asco was in a takeover procedure by American group Spirit AeroSystems. As a consequence of the cyberattack, the initial selling price of $ 650 million will be lowered by to $ 150 million.
Data breaches up to +1 billion dollars
Capitol One, a US based financial holding, is another 2019 data breach victim. As a result, personal data of 106 million individuals were stolen. In a statement, Capitol One says that the costs resulting from the data breach are estimated between $ 100 million and $ 150 million. However, those are only the costs for the financial year of 2019. The total cost, including long-tail costs that will be booked over the following years, will probably be a lot higher…
And a year after British Airways suffered a data breach in 2018, the British Information Commissioner’s Office imposed a € 204 million fine on the airline. So far, this is the highest GDPR fine imposed. The amount corresponds to 1,5% of the company’s turnover, but GDPR regulators could fine companies up to 4% of their yearly turnover. Information Commissioner Elizabeth Denham states: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check if they have taken appropriate steps to protect fundamental privacy rights.”
Several sources – including The New York Times – indicate that American credit rating agency Equifax has to pay between $ 575 and $ 700 million dollar as a compensation for the inadequate protection of user data. In 2017, personal data of 145,5 million Equifax consumers were captured by cyber criminals. The payment is meant to settle consumer claims as well as state and federal investigations. The total cost of the data breach however, is an estimated $ 1,25 billion dollars.
The risk that your organization will face a data breach in 2019 or 2020 – costing an average of $ 3,92 million – is 29,6%. This risk has grown significantly (+31%) from 2014 to 2019 and is expected to grow even further in the forthcoming years. Organizations that have not invested in information security management and security solutions – such as analytics and automated incident response orchestration – pay on average 95% more (+ $ 2,51 million) in the event of a data breach.
Conclusions & next steps
While $ 3,92 million – or $ 6,43 million when no automated security solutions are installed – isn’t exactly pocket change, it’s not enough to bring a large enterprise company down to its knees. It could hurt a bit yes, and possibly some complaints may arise from shareholders saying those costs could have been avoided, but that’s pretty much it.
This brings us back to the question of whether or not organizations should invest in data security measures to mitigate the risks for data breaches. The answer is a resounding ‘yes’. Not because the costs are dangerously high, but because the likelihood to get confronted with a data breach rises every year, and because the use and processing of data continues to gain importance in many organizations, resulting in an ever-growing amount of records. Furthermore, newer legislation (GDPR, NIS, …) increases the chance to get caught.
Last but not least, a data breach or ransomware attack seriously hurts your reputation. In fact, organizations that want to be considered as the leaders of tomorrow simply cannot afford cyber security issues at all…
PS: Don’t forget to take a look at Elimity Insights. This powerful SaaS tool significantly reduces the risk of a data breach and helps you to find weak spots in your defence system swiftly and easily.