THE COSTS OF A DATA BREACH

A look at factors associated with a breach

We all know the threat of a data breach, hack, or attack on our business is very real. What many people fail to realize is the total cost associated with the loss or theft of data. This stolen or lost information can range from trade secrets and proprietary data sought by rogue nations with major hackers to personally identifiable information (PII) and the medical information of patients that can be sold on the Dark Web.

IBM Security, in conjunction with the Ponemon Institute, produce an annual report about the cost of a data breach. The latest report, the 2019 Cost of Data Breach Report, is now in its 14th year and is packed with valuable information that shows the cost of a data breaches continues to climb year after year. Additionally, there are several factors that impact the ultimate cost of a breach, which can have consequences that echo through a company for years.

In this blog, the cybersecurity experts at Dox Electronics examine the real costs associated with a breach through the most recent IBM and Ponemon Institute 2019 Cost of a Data Breach Report and how to prevent such a loss.

The Research and Data
Researchers from the Ponemon Institute study collected in-depth qualitative data of 507 companies and organizations through more than 3,211 separate interviews. The interviews were conducted over the course of seven months between October 2018 and April 2019 in 16 countries around the world.

During the research study, it came to light that in an average data breach, there was a loss of 25, 575 records. Globally, the cost per lost record averaged $150. This means the average total cost for a data breach totaled $3.92 million.

That number jumps significantly for organizations in the United States, which is the country with the highest average cost for a data breach. The average cost of a data breach in the U.S. increased from $7.91 million in the 2018 study to $8.19 million in the 2019 study. The average cost is significantly higher in the U.S. with an average cost of $242 per lost record.

Detection and Escalation
The first cost factor associated with a breach is detection and escalation. In the U.S., it took an average of 245 days to identify and contain a breach while the global average to do the same was 279 days. That’s good news for U.S. organizations given that with each passing day more data can be swiped, thus increasing the cost of the breach.

Per the Ponemon study, costs affiliated with detection and escalation include, “Activities that enable a company to detect and report a breach to appropriate personnel within a specified time period.”

These activities include:

• Forensic and investigative activities
• Assessment and audit services
• Crisis team management
• Communications to executive management and board of directors

Notification Costs
The next breach cost factor comes as a result of notifying clients, employees, and partner organizations that a breach has occurred. Per the study, this includes “activities that enable the company to notify individuals who had data compromised in the breach (data subjects) as regulatory activities and communications.”

Services and activities related to notification costs include the following:

• Emails, letters, outbound telephone calls, or general notice to data subjects that their personal information was lost or stolen
• Communication with regulators; determination of all regulatory requirements, engagement of outside experts

Post-Data Breach Response
Following a breach, there are even more cost factors to consider. According to the Ponemon study, the response after a breach includes, “Processes set up to help individuals or customers affected by the breach to communicate with the company as well as costs associated with redress activities and reparation with data subjects and regulators.”

The post-breach response by a company will likely include at least some, if not all, of the following:

• Help desk activities and inbound communications
• Credit report monitoring and identity protection services
• Issuing new accounts or credit cards
• Legal expenditures
• Product or service discounts
• Regulatory interventions or fines

Lost Business
According to the Ponemon report, lost business was the greatest contributor to data breach costs. When companies experience a data loss, the resulting financial consequences of lost business was quite significant.

“The average cost of lost business for organizations in the 2019 study was $1.42 million, which represents 36 percent of the total average cost of $3.92 million,” according to the report. “The study found that breaches caused abnormal customer turnover of 3.9 percent in 2019.”

The study demonstrates that the cost of lost business, including customer turnover, business disruption, and system downtime is so significant that it could potentially lead an organization to shut its doors permanently. This is especially true if the company has no financial safety net such as cybersecurity insurance.

Some of the costs associated with lost business resulting from a breach include:

• Financial losses due to business disruption and revenue losses due to system downtime
• Lost customers and fees associated with acquiring new customers (customer turnover)
• Losses affiliated with damage to a business’s reputation and diminished goodwill

Size Matters
When it comes to the total cost of a data breach, the size of a company and its ability to bounce back afterward matters. The Ponemon study found the total cost of a breach for the largest organizations, those with more than 25,000 employees, averaged $5.11 million. Smaller companies, those with 500 to 1,000 employees, had an average cost of $2.65 million.

“Smaller organizations had higher costs relative to the size than larger organizations,” according to the report. “The total cost for organizations with more than 25,000 employees average $204 per employee. Organizations with between 500 and 1,000 employees had an average cost of $3,533 per employee.”

Why is this the case? Simply because the cost per record stolen or lost didn’t vary so the average cost per employee increased as the size of a business decreased. Ultimately, this means smaller companies face an average cost for a breach that is higher than larger organizations. That leads to the conclusion that smaller businesses also face more of a struggle when it comes to recovering financially from a cyber incident because they tend to have fewer resources than larger organizations.

Healthcare Hit the Hardest
One of the cost factors when it comes to a data breach is regulatory requirements. The Ponemon study demonstrated that organizations subject to more rigorous regulatory requirements faced higher costs associated with a breach than those with little or no regulations for data security. Industries such as healthcare, financial services, energy, and pharmaceuticals all experienced higher costs due to breaches.

Businesses in the healthcare industry were hit hardest in the 2019 study with an average total cost of a data breach coming in at $6.45 million. That’s 65 percent higher than the average total cost of a data breach.

Industries such as media, hospitality, retail, and research saw the lowest costs of a breach on average, according to the most recent Ponemon report. Additionally, public sector organizations also experienced a lower average cost for a breach as they often saw a lower turnover of clients post-breach.

Avoiding a Breach
There are many steps that even small business owners can take to help prevent a breach affordably. Start with the basics such as ensuring your firewall and antivirus programs are up to speed for every computer in the company. Limit access to data on a need to know basis (i.e. only allow employees access to the data they need to complete their job duties). This is known as the Principle of Least Privilege. You can also require employees to choose complex passwords or passphrases and initiate multi-factor authentication for accessing company data.

Additionally, here are a few other steps for increasing your company’s cybersecurity and preventing a costly breach:

• Conduct a cybersecurity audit to determine where your risks are and how to address them
• Initiate an email resilience program
• Train every employee on a regular basis to help them understand cyber threats and how to avoid them
• Consider full-time system and network monitoring which can help you identify attempted hacks or attacks quickly
• Keep your software updated regularly so updates and patches help protect your data
• Consider the security of your physical data and how it is stored and destroyed
• Purchase cybersecurity insurance

To learn more about the costs associated with a data breach, how costs negatively impact your company, or methods for affordably reducing the risk of a breach to your business, contact Dox Electronics now at (585) 473-7766.