The true cost of a data breach may be significantly more than you think, according to the latest report by IBM. The technology firm found that the average data breach in 2023 cost companies a record $4.45 million.
This figure includes direct costs that are easily measured, such as fines or lawsuits, as well as indirect costs, such as reputational damage which can have serious, long-lasting financial impacts.
It's no surprise that data breaches can be devastating. However, this report serves as a big reminder that there are many ways to reduce the risk of a data breach, and there are also many ways to reduce the damage and consequences should one happen anyway.
But before we can look at how to lower the cost of a breach, let's look at how the numbers add up.
How the costs of a data breach add up
Incident response and recovery
The costs of identifying and resolving a data breach have grown. According to the report, expenses related to detecting and escalating a breach have increased from $1.23 million in 2018 to $1.58 million in 2023. Post-breach response costs are also on the rise, increasing from $1.02 million in 2018 to $1.2 million in 2023.
Data breaches are only one cost to consider. Get our tips for streamlining your budget.
Detection and escalation-related costs can include investigative activities, audit services, crisis management, and communications to company leaders. Specific incident response tasks vary depending on the company and incident but might include:
- Quarantining compromised hardware and software
- Analyzing activity logs
- Documenting the findings
- Fixing the vulnerability (or vulnerabilities) that caused the breach
- Repairing or replacing infected systems
Inadequate responses only drive costs up further. A blog post from the U.K.'s National Cybersecurity Centre discussed one unnamed organization that paid millions in ransom to recover its files without identifying the root cause of the attack. The same attacker went after the victim's network two weeks later using the same method and ransomware. The victim organization wound up paying ransom a second time.
Compromised IP and customer data
Customer data is the costliest and most common type of record stolen during data breaches. Personally identifiable information (PII) cost companies $183 per record stolen in 2023. This type of data can include highly sensitive details such as a person's social insurance number, passport information, credit card details, banking records, even medical records. PII was stolen during 52% of data breaches—up 5% from the year before.
But companies that avoid losing PII during data breaches still run the risk (and costs) of having intellectual property (IP), such as patents and trademarks, compromised. IP can account for up to 90% of a company's value and is targeted primarily by state-sponsored cybercrime groups.
The IBM report found that in 2023, ransomware accounted for 24% of all malicious attacks. Despite officials pleading with companies to disregard hacker demands, 53% of ransomware victims opted to pay a ransom for their data back.
One reason companies may agree to pay the ransom? They believe the payment will cost less than the operational downtime, reputational harm, and noncompliance fees of a publicly disclosed data breach.
Paying ransom might be appealing, but it's important to remember that the transaction isn't always as flawless as it might seem. Consider the ransomware attack on Colonial Pipeline. The organization paid the hacker group $4.4 million for a tool to decrypt systems and fast-track recovery. However, the tool was reportedly so slow that the victim organization continued using its own data backups to restore its systems.
Cybercriminals don't always stick to their word, either. A recent study from TELUS found that under 50% of Canadian companies that paid a ransom to get their data back actually did. Paying your attackers does not guarantee recovery.
Another related point from the report: companies that didn't involve law enforcement in ransomware attacks faced nearly $500,000 in extra costs. This, however, may be due to shortened containment times.
The total time to identify and contain a ransomware attack is 273 days with law enforcement's involvement and 306 days when law enforcement isn't involved. Longer containment times force companies to allocate more resources, like labor hours, toward dealing with the breach.
Lost business and reputation damage
Lost business and reputation damage accounted for $1.3 million of the total costs associated with a data breach in 2023. That's down from previous years, but still significant—especially given how long the reputational damage from a breach can stick.
Some of the costs associated with this aspect of a data breach include:
- Missed sales due to system downtime
- Cancelled contracts with third parties or other business partners
- Activities to minimize customer loss (e.g., hosting a customer appreciation sale)
- Lost customers due to reputation damage
- Higher costs to acquire new customers (e.g., additional marketing spend)
Studies confirm that public perception changes drastically after an incident. For example, 60% of survey respondents reported being less likely to do business with a retailer or brand that has suffered a data breach, and 21% said they would change companies outright after a data breach.
Legal and noncompliance penalties
Legal and regulatory penalties associated with data breaches can vary depending on several factors. The size of the breach, the types of data stolen, your industry or geographical location, and your company's initial incident response will all inform legal costs.
For example, your legal situation may need a dozen billable hours or hundreds. Depending on the extent of the damage, you may decide to enlist a PR firm for long-term support. In some cases, you could even face individual lawsuits from the victims or major class action proceedings.
Companies in highly regulated industries, such as healthcare and financial services, will pay greater noncompliance fines than others. For example, healthcare data breaches are far more expensive than the average breach, likely due to the industry's extensive data privacy policies.
Those in highly regulated countries will also see higher penalties. Canadian organizations can be fined 100,000 Canadian dollars under the Personal Information Protection and Electronic Documents Act, with similar fines for European Union members governed by the General Data Protection Regulation.
How to protect against a data breach
We've covered the different expenses your company may experience if it becomes the victim of a data breach. Now let's look at steps you can take to lower the cost of a breach or, ideally, avoid one entirely.
Raise awareness company-wide
As a first step, it's smart to raise companywide awareness of data breaches. While it's true that some breaches are purposeful and malicious, others are entirely unintentional. You may be able to prevent some of these through increased cybersecurity education and training.
For example, an employee could send confidential customer data to the wrong email address. Or they might click on a link in a well-crafted phishing email, accidentally launching malware on their device. Educating your team about cyber risks like these may reduce the chances of an unintentional breach.
Anyone in your company can be targeted, which makes cybersecurity a shared responsibility. For the best results, educate all employees on common attack tactics, techniques, and procedures so they're better equipped to identify when they're the target.
Also, make sure employees know and follow cybersecurity best practices, including using strong passwords and turning on multi-factor authentication wherever possible.
Reduce your threat surface
Your company's threat surface consists of people and accounts, software, hardware, and cloud-based services—anything an attacker can exploit. By understanding and reducing your threat surface, you reduce attack opportunities.
For example, you can correct misconfigured software that might be putting confidential data or critical systems at heightened risk of compromise. It's also best practice to delete old accounts of former employees and ensure that current employees only have access to the data and systems necessary to complete their tasks.
You should also make sure all software is running on the most recent version. Patching can be tedious and time-consuming—sometimes requiring a reboot to complete. But it's necessary. Patches fix bugs, add new features, improve performance, and address critical security vulnerabilities.
Create and maintain data backups
A data backup is a copy of data that can be recovered later. Backups are critical to a recovery plan. They make it easier to retrieve essential files after an attack or other event that compromises your data. Should an incident occur and limit access to critical files, having a reliable backup expedites recovery and gets you back to business faster.
There are many approaches to data backups, including external hard drives, self-serve cloud storage, and using a dedicated backup provider. Every backup solution has its advantages and disadvantages, which is why it's important to take time to select an approach based on your company's unique needs.
For example, saving business-critical data to an external hard drive might not make sense for remote-only organizations or those without IT professionals who can carry out the work. But it could make sense if you have a physical office and an in-house IT infrastructure team.
Be prepared for an incident
There's a divide between organizations that are prepared for a data breach and those that aren't. Effective incident response (IR) planning is vital because the longer a company takes to respond to a breach, the more costly it'll be.
An IR plan will typically include:
- An overview of objectives and scope
- Scenarios and incident examples
- Roles and responsibilities
- The incident response steps
There are IR plan templates and guidelines available online, but creating your own can be time-consuming and may be out of scope for many smaller businesses. Investing in an incident response (IR) preparedness service is often easier as you'll work with experts to assess your company's cybersecurity posture, identify key assets and roles, and develop step-by-step incident response playbooks.
Put the right solutions in place
Studies have found that using automated technology to identify and contain cybersecurity incidents instead of manual processes drastically decreases the breach life cycle and, in turn, reduces breach costs. Organizations with fully deployed security automation resolved their breaches 74 days faster and paid $3.05 million less in costs than organizations without automation.
But not just any technology will do. Simply layering point solutions (one for your endpoints, one for the cloud, and so on) often results in visibility gaps, an unmanageable volume of alerts to open and investigate, and inadequate security. Having the right solutions in place is paramount.
Covalence combines automation and human intelligence to detect and respond to threats and vulnerabilities across your network, cloud-based services, and endpoints. And with automatic blocking of major cyber threats like ransomware and advanced persistent threats, you can sleep soundly knowing your cybersecurity is handled.
Reduce your risk of a breach today
The cost of a data breach can devastate your company. That's why there's no time like the present to take preventative action. Field Effect can help you do that with our managed detection and response solution, Covalence. Book a demo today to see how Covalence reduces cyber risk and improves your defense.
If you think you're experiencing a cyberattack or security event now, our incident response (IR) team is available 24/7 to investigate, remediate, and get you back to business. Please contact our team if you need immediate IR assistance.