We’ve all read the headlines about data breaches and the subsequent million-dollar lawsuits, but it’s important to recognize that there are other damages beyond those reported in the news. Data breaches are made up of both direct costs, like stolen data or intellectual property (IP), and indirect costs, like reputational damage. Many are long-term, impacting your bottom line for years after discovering the breach. So what’s the real cost of a data breach?
As a business owner, the data and assets you rely on to maintain operations are valuable and must be secured. Considering that the global average cost of a data breach exceeded $4 million for the first time in 2021, the aftermath can absolutely devastate your business. There are many ways to reduce the impact (more about those later), but let’s first look at how these costs add up.
What makes up the true cost of a data breach?
The initial response
As soon as you discover your business has been compromised, you need to respond right away to mitigate the damage. The cost of your initial response can skyrocket as you:
- Document the attack
- Quarantine compromised hardware and software
- Contain and eliminate the threat
- Analyze activity logs
- Fix the vulnerability (or vulnerabilities) that caused the breach
- Repair or replace infected systems
- Implement security improvements
Each step in your initial data breach response can take days, weeks, or even months. It’s a long process that needs to be done right, meaning you may need to hire an experienced incident response team for the job. Getting experts in quickly can prevent further data loss, reducing the total cost of the breach.
“Getting experts in quickly can prevent further data loss, reducing the cost of the breach.”
Compromised IP and customer data
A customer’s personally identifiable information (PII) is the most expensive and frequently compromised data in a breach. PII is valuable to threat actors because it can provide enough information to apply for loans, credit cards, or even passports in the victim’s name. It’s also a means for the attacker to extort the victims for money or gain access to their online accounts.
Compromised customer records drastically increase the cost of a data breach. LifeLabs, one of the largest medical testing providers in Canada, experienced a data breach in 2019. The incident exposed the full names, home and email addresses, health card numbers, and other PII of 15 million Canadians. The victims have since filed a class-action lawsuit for more than $1 billion.
The media tends to focus on customer data during a breach, but lost IP can be just as devastating. Stolen trademarks, patents, copyrights, and trade secrets can threaten the future of your company. Imagine investing years perfecting a product, only to have the source code stolen and auctioned off. It’s difficult estimating what a lost product may have been worth, but it’s a major setback.
Costly ransom demands of a data breach
Ransomware significantly adds to the cost of a cyber security data breach — tacking on an average of nearly $150,000. Despite officials pleading with companies to disregard hacker demands, 53% of ransomware victims opted to pay a ransom in exchange for their data.
This high statistic is likely because attackers do their homework. Our team of cyber security experts has discovered that attackers are starting to research their targets. They look at assets and financial reports to determine the potential victim’s ability to pay a ransom.
Organizations will often agree to pay because it costs less than the operational downtime, reputational harm, and non-compliance fees of a publicly disclosed data breach. But paying off a cyber criminal to avoid those extensive repercussions doesn’t always work.
“Ransomware significantly adds to the cost of a cyber security data breach — tacking on an average of nearly $150,000.”
Consider the 2016 data breach involving ridesharing company Uber. A hacker compromised the PII of nearly 60 million employees and customers and, instead of disclosing the breach immediately, paid the cyber criminal $100,000 to delete the data and keep quiet. The news leaked shortly anyway, resulting in a $148 million settlement on top of other damages.
Lost business and reputation damage
We recently asked our LinkedIn community to share which data breach impact concerned them most. Almost 40% said reputation damage was their biggest worry, followed by cost, system damage, and downtime.
Their concerns are well-founded. A data breach will inevitably damage your reputation and negatively affect your ability to acquire and maintain business. And, as it turns out, lost business is the most expensive aspect of a cyber security data breach for many victims — accounting for nearly 40% of the average total cost.
For example, imagine an online retailer has just experienced a breach affecting its website and customer data. In this situation, costs for “lost business” could add up quickly from:
- Missed sales due to system downtime
- Canceled contracts with third parties or other business partners
- Activities to minimize customer loss (e.g., hosting a customer appreciation sale)
- Lost customers due to reputation damage
- Higher costs to acquire new customers (e.g., additional marketing campaigns)
Studies confirm that public perception changes drastically after an incident — 62% of Americans and 44% of Brits admitted they would stop buying from a brand for several months following an attack.
“62% of Americans and 44% of Brits admitted they would stop buying from a brand for several months following an attack.”
And while it’s possible to win back customers after a data breach, that comes at a cost too. After a breach, customers prefer compensation, a detailed explanation of what happened, and proof that proper security controls are in place, according to PWC research.
Legal and non-compliance penalties
Like every other cost associated with a data breach, legal and regulatory penalties vary depending on several factors. The size of the breach, types of data stolen, and your initial response will influence how much you spend on legal costs.
Your legal situation may need only 50 attorney hours or thousands. You may need to hire a PR or crisis communications team to speak to stakeholders, affected customers, and the public. You may face individual lawsuits or major class action proceedings. As you can see, legal fees add up quickly, further driving up the total cost of a breach.
Highly regulated industries, such as healthcare and financial services, will pay more in non-compliance fines than others. Healthcare data breaches are far more expensive than the average breach, and that’s likely due to the industry’s extensive data privacy policies.
Those in highly regulated countries will also see higher penalties. Canadian organizations may be fined up to $100,000 (CAD) under the Personal Information Protection and Electronic Documents Act (PIPEDA) with similar fines for European Union (EU) members governed by the General Data Protection Regulation (GDPR).
How to reduce the cost of a data breach
Every business has something a threat actor wants, whether that’s IP, financial credentials, customer PII, or third-party supplier data. Even smaller companies could experience a breach and must take preventative measures to minimize potential damage to both their finances and reputation.
Not all breaches are due to a malicious attack; in fact many are due to simple misconfigurations and human error. And, as we continue onboarding remote employees and adopting hardware and software to support a new normal, there’s even more room for mistakes.
Lower your risk of a breach by configuring cloud services correctly, optimizing your patch management policy, enabling multi-factor authentication (MFA), and making cyber security a shared responsibility. Educate employees on common threats and cyber security best practices that will reduce the chances of an attack.
As an added layer of protection, invest in a cyber security solution that offers in-depth monitoring across your entire IT environment. This visibility will help you detect some threats early and prevent others entirely. Be sure that the solution is easy to use or offered as a managed service, as having a complex tech stack can weaken your defence.
There’s a growing divide in total breach costs between organizations prepared for an incident and those that are not. After all, every minute a breach goes undetected is another minute the attacker can compromise accounts, infect devices, and steal data. Reduce damages by investing in an incident response (IR) preparedness service. We work with you to improve your current cyber security posture and develop a customized response plan to lower the costs and impacts of security incidents.
Taking these steps now will reduce the cost of a future data breach, potentially saving you and your business from months or years of recovery. Remember, a data breach is more expensive than investing in proper cyber security measures.
Discover what other costs you should consider when planning or evaluating your cyber security budget in our latest eBook, The True Cost of Cyber Security: Key Insights for Managing Your Budget.