Adding it all up: what determines the cost of a data breach?

They say that numbers don’t lie, but they can be manipulated to tell a prettier version of the truth. When looking at the cost of a data breach, most organizations want to see low numbers. The reality is that the total cost of a data breach is both quantifiable and difficult to gauge.

Whether analyzing the numbers on a per stolen record basis or by the average total cost of a data breach, the numbers are lofty according to the 2017 Cost of Data Breach Study: Global Overview released in June by the Ponemon Institute.

Though down from 2016, the average total cost of a data breach of the more than 400 companies that participated in the study is $3.62 million.

Kaspersky Lab widened the net in its survey of the cost of a cyberattack and found that from the 5,000 participants, the total impact of a breach for a North American enterprise comes it at only $1.3 million—about a a third what the Ponemon study reported.

That’s quite a gap that on the surface has North American enterprises benefiting from geography, but they reported have suffered the most breaches with the highest loss of records. Overall, each breach is not only growing larger but more costly as well.

Piecing the price together

Understanding the bigger picture of the overall cost of a breach involves more than numbers. Here are a few additional pieces to consider when piecing together the bigger puzzle of the total cost of a breach:

  • A data breach results in broken trust. Customer loyalty is at the heart of most organizations. Without customers, there really is no business. When the customer’s trust is broken, the business suffers a loss in both profits and shares. It’s one that might be difficult to quantify immediately, but the overall impact can be quite significant.
  • Size does matter. When most people think about the recent Equifax breach, it’s the sheer number of stolen records that sounds most alarming. To say we’ve been breached is an unfortunate result of doing business in today’s digital world. Having to confess that more than 143 million records were stolen might be hard to come back from.
  • Time is money. By the time most breaches are detected, the malicious actors have been in the network for some time—anywhere from 30 days to more than a year. The longer they are able to linger undetected, the greater the damage.
  • More than a penny for your thoughts. No one likes to be the bearer of bad news, but in the aftermath of a breach, victims need to be notified. Often times, the costs of responding to a breach include the price of counsel, law enforcement, identity protection services for victims and other customer service communications. Add to that the public relations investment needed to sustain the court of public opinion.
  • What you can’t put a price on. Tied into the overall cost—or loss—in the aftermath of a breach is the reality that people will lose their jobs. There’s no real ‘cost’ in an employee resigning, but there are expenses incurred by the enterprise like the $4 million in pension benefits that the former Equifax CEO will collect.
  • Why things start to add up. The greatest cost to companies that have been breached result from having to either pay internal staff more money for the time it will take to respond to the attack or to hire outside help, like forensic investigators.

Tags: , ,