Trading in intellectual property and personal data is so widespread that someone invented a calculator that can estimate the potential harm to your own business.
Nearly 5 million data records are lost or stolen worldwide every single day, according to the Breach Level Index. That’s a staggering 58 records every second. High profile data breaches hit the headlines with worrying frequency. Just last year there were notable incidents at Equifax, Verizon, and Kmart, to name just the three biggest.
Smaller breaches go unreported, and it’s not unusual for exposure to be grossly underestimated in the initial aftermath. Example: the real depth of Yahoo’s 2013 breach only came to light last October. It was a revelation that proved very costly, immediately wiping out $350 million off Verizon’s acquisition
All of that comes before we consider the undiscovered data breaches lurking in the shadows of server stacks waiting to unseat executives, tank stock prices and damage reputations.
Data breaches have the power to cause enormous disruption, because they can, and often do, end up costing a huge amount of money to sort out. But the cost varies wildly depending on the country, the industry, and a host of other specifics.
What’s the cost of a data breach?
The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record. That’s a reduction on the average cost in 2016, but the average size of data breaches has increased. It’s also worth noting that the average cost of a data breach in the United States is much higher at $7.3 million.
You can use the data breach calculator to arrive at a good estimate for your business. It allows you to factor in, not just by location and industry, but also lots of pertinent extras like compliance considerations, third-party involvement, insurance protection, and a whole lot more.
The size of the breach is also, obviously, an important factor in determining the overall cost. For a breach that results in less than 10,000 records being compromised, the average total cost is $1.9 million, but for 50,000 or more that rises to $6.3 million.
As the General Data Protection Regulation (GDPR) comes into effect in May, the cost of non-compliance could be about to skyrocket. It’s also worth remembering the potential for reputational damage to cause a downswing in any company’s fortunes. An interesting assessment of British telecoms company TalkTalk by Alva shows the impact of data breaches on reputation, and highlights how reputational risks grow more damaging when they aren’t successfully managed.
How you react has a big impact
Breaches will happen, but how you act to mitigate them has a very real impact on the bottom line. While the initial data breach is certain to cost money to fix, things get a great deal more expensive when they’re mishandled. For example, Equifax made a bad situation a lot worse by delaying disclosure, misdirecting potential victims, and failing to patch known vulnerabilities.
Putting a good security awareness program in place isn’t just a preventative measure, it also trains people in how to act when a suspected data breach does occur. Ponemon found that an incident response team can reduce the cost of a breach by up to $19 per record. If you want to keep costs down, having a solid response plan in place and taking the right action quickly is vital.
It stands to reason that the faster a data breach is uncovered and contained, the less it will cost, but most organizations still have a lot to do in this area. Ponemon found the average time to identify was around 191 days last year, with another 66 days on average required to contain the breach. These times could be reduced if every organization would keep up to date with NIST’s Cybersecurity Framework, keep tighter control of its data, and consider scanning the dark web for threat intelligence.
There’s no doubt that the potential cost of a large data breach should be enough to give many executives a sleepless night. But that fear should be leveraged by CISO’s and other InfoSec professionals to persuade organizations to do the right thing and invest properly in cybersecurity. It might not be possible to completely prevent breaches, but the right preparation can dramatically reduce the resulting cost.