Patrick M. Rost, Senior Consultant for Dopkins System Consultants, authored What Would a Data Breach Cost You? on February 3, 2021. His blog was reprinted with our permission in the Q2 2022 edition of Northeast Dairy Magazine.  

To read the article in Northeast Dairy Magazine, please click here & scroll to online pages 56-57 (print edition pages 54-55.) 

With an average cost of a data breach in the United States at a staggering $8.64 million in 2020, allocating a budget to identify and prevent a data breach are more critical than ever.  Although the largest incidents make headlines, businesses of all size are subject to cyber threats. In this post we examine ways to mitigate your risk.

Let’s start by breaking down the factors that contribute to the cost of a breach. 

Lost Business Costs

Research performed by the Ponemon institute, an independent research company, and IBM (https://www.ibm.com/security/data-breach) found that in 2020 lost business accounted for nearly 40% of the average cost of a breach.  Further:

• Customers lose faith in the company when they are notified of the breach or hear about it in the news and may look to end the business relationship.
• Potential customers will likely look to another company that they feel can protect their data better.

Time is Money: Costs related to identifying and containing the breach

The 2020 study also discovered that the average time it took to identify and contain a breach was 280 days. Responsiveness is definitely a contributing factor to recovery: companies who were able to contain in fewer than 200 days saved an average of $1 million. Also, note there will be additional costs such as attorneys’ fees. You may also incur legal costs to pay settlements due to federal and state laws (Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), NYS SHIELD Act, etc.) that regulate the disclosure of a breach and may require settlements to be paid. Business operating globally may face similar laws in other countries such as the European General Data Protection Regulation (GDPR) and United Kingdom’s Data Protection Act (DPA). These laws typically add regulatory fines that are calculated per breached record as well as fines if they determine the proper protections were not in place.

Based on the Ponemon/IBM research, the average cost of a data breach globally in 2020 was $3.86 million in US funds. However, costs to United States based businesses faced the highest average cost at a staggering $8.64 million. Health care entities faced the highest industry average cost at $7.13 million. Unfortunately, recovery is not a fast process: approximately 40% of costs are incurred after the first year, 15% are incurred after the second year, and further costs extend beyond year two.

While the global average cost is $3.86 million, the cost of a breach also varies based on size of the company. Companies with fewer than 500 employees still face a staggering average cost of $2.35 million globally while companies with 5,001-10,000 employees have the highest average at $4.72 million globally.* These statistics reflect that companies of all sizes can be breached and incur a large cost.  Even though smaller companies have lower averages, cyber criminals recognize the security controls may be easier targets to breach and remain at high risk of an incident.

What’s causing the breaches? 

The research by Ponemon and IBM also report on threat vectors responsible for breaches.  They found that compromised credentials are both the most frequent and most costly threat vector, stressing the need for secure passwords.  Following compromised credentials in frequency is cloud misconfiguration, vulnerability in third-party software, and phishing.

How do you prevent a breach?

In the scenario that a breach occurs there are several factors that can mitigate, or amplify, the cost.

Mitigating: Incident Response Testing is the leading mitigating factor, saving businesses an average of $295,267 during a breach.  Other mitigating factors are Business Continuity Plans ($278,697 average savings), Employee Training ($238,019 average savings), and Encryption ($237,176 average savings).

Amplifying: Complex Security Systems were the leading amplifying factor, costing businesses an average of $291,870. Other amplifying factors are Cloud Migration ($267,469 average cost), Security Skills Shortage ($257,429 average cost), Compliance Failures ($255,626 average cost), and Remote Workforce ($136,974 average cost).

Ultimately, the best way to avoid these costs are to avoid a data breach altogether.  But, in the event an incident occurs, your best recourse is to plan now to mitigate the factors and minimize the risks to your business.

For a printable copy of this article, please click here.

If you would like to have a conversation and discuss ways to mitigate the risk of a breach contact Patrick Rost (prost@dopkins.com).  Check out our STARTegy page for more information about our Strategy for Getting Started with Information Security.