The actual cost of a data breach is significantly more than the damages reported in news stories.
We’ve all read those headlines detailing a recent data breach and the subsequent million-dollar lawsuits. It’s true that data breaches consist of direct, quantifiable costs such as fines or lawsuits regarding stolen information.
However, there are indirect costs as well, such as reputational damage, that can impact your company’s bottom line for years.
Considering that the global average cost of a data breach hit an all-time high of USD$4.35 million in 2022—up almost 13% in two years—the aftermath can absolutely devastate a business.
The data and assets you rely on to maintain operations are valuable and must be secured to prevent a breach. There are many ways to reduce the impact if one should happen (more on that later), but let’s first look at how the costs of a data breach tally up.
Breaking down the costs of a data breach
Incident response and recovery
As soon as you discover a compromise, you need to respond immediately to minimize the damage.
The initial response costs can skyrocket as you:
- Quarantine compromised hardware and software
- Analyze activity logs
- Document the findings
- Fix the vulnerability (or vulnerabilities) that caused the breach
- Repair or replace infected systems
- Implement security improvements
Each step in your initial data breach response can take days, weeks, or even months. It’s a long process that needs to be done right, meaning you may need to hire an experienced incident response team for the job. Getting experts in fast can minimize damage, accelerate recovery, and even prevent future breaches.
“Getting experts in fast can prevent further data loss, reducing the overall cost of a breach.”
A blog post from the UK’s National Cyber Security Centre proves just how costly an inadequate response can be. One unnamed organization paid millions in ransom to recover its files but did not identify the root cause of the attack or secure its network. “Less than two weeks later,” the blog says, “the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware.” The victim organization wound up paying ransom a second time.
Compromised IP and customer data
PII is valuable to threat actors because it can provide enough detail to apply for loans, credit cards, or even passports in the victim’s name. It’s also a means for the attacker to extort the victims for money or gain access to their online accounts.
Compromised customer records drastically increase the cost of a data breach. T-Mobile, a wireless network operator in the United States, suffered a massive data breach in 2021. The attack exposed the full names, birthdates, social security numbers, driver’s licence numbers, and other PII of more than 40 million former or prospective customers and 8 million current T-Mobile customers. Since then, over 50 lawsuits have been filed against the organization.
The media tends to focus on customer data during a breach but losing intellectual property (IP) can devastate company growth. IP can constitute 90% of a company’s value, which explains the appeal of paying cyber crime groups to steal and hand over a competitor’s IP.
Stolen trademarks, patents, copyrights, and trade secrets can threaten a company’s future. Imagine investing years perfecting a product, only to have the source code stolen and auctioned off.
Despite officials pleading with companies to disregard hacker demands, 53% of ransomware victims opted to pay a ransom for their data back. There are a couple of reasons that organizations choose to pay the ransom despite being advised not to.
One reason is that attackers do their homework. By researching their targets’ financials—looking at the company’s assets and financial reports—they can demand a realistic figure, increasing the chances the victim will take the offer. It makes sense; it wouldn’t make sense to demand $50 million from a smaller organization, but $50,000 could work.
Another reason companies agree to pay a ransom is because doing so would cause less damage than the operational downtime, reputational harm, and non-compliance fees of a publicly disclosed data breach. Paying ransom might be appealing, but it’s important to remember that the transaction isn’t always as flawless as it might seem.
Take the ransomware attack on Colonial Pipeline, for example. The organization paid the hacker group $4.4 million in exchange for a tool that would decrypt systems and fast-track the recovery process. However, the tool was reportedly so slow that the victim organization continued using their own data backups to restore their systems.
“Ransomware significantly adds to the cost of a cyber security data breach—tacking on an average of nearly $150,000.”
Paying the ransom isn’t always fair, either. Consider the 2016 data breach involving ridesharing company Uber. A hacker compromised the PII of nearly 60 million employees and customers. Instead of disclosing the breach immediately, Uber paid the cyber criminal $100,000 to delete the data and keep quiet. Information about the breach leaked anyway, resulting in a $148 million settlement on top of other damages.
Lost business and reputation damage
We asked our connections on LinkedIn what concerned them most about experiencing a data breach. Almost 40% said reputation damage was their biggest worry, followed by cost, system damage, and downtime.
Their concerns are well-founded.
A data breach will inevitably damage your reputation and negatively affect your ability to acquire and maintain business. In fact, lost business has been the most expensive aspect of a cyber security data breach for the past six years—only finally being displaced by incident detection and escalation costs.
Imagine an online retailer has just experienced a breach affecting its website and customer data. In this situation, “lost business” costs may include:
- Missed sales due to system downtime
- Cancelled contracts with third parties or other business partners
- Activities to minimize customer loss (e.g., hosting a customer appreciation sale)
- Lost customers due to reputation damage
- Higher costs to acquire new customers (e.g., additional marketing campaigns)
Studies confirm that public perception changes drastically after an incident—62% of Americans and 44% of Brits admitted they would stop buying from a brand for several months following an attack.
“62% of Americans and 44% of Brits admitted they would stop buying from a brand for several months following an attack.”
And while it’s possible to win back customers after a data breach, that also comes at a cost. After a breach, customers prefer compensation, a detailed explanation of what happened, and proof that proper security controls are in place, according to PWC research.
Legal and non-compliance penalties
Like every other cost associated with a data breach, legal and regulatory penalties vary depending on several factors. The size of the breach, types of data stolen, your industry or geographical location, and initial incident response will influence your legal costs.
Your legal situation may need only 50 attorney hours or thousands. You may need to bring in a crisis communications team to speak to stakeholders, affected customers, and the public.
Depending on the extent of the damage, you may need to enlist a PR firm for long-term support. You may face individual lawsuits or major class action proceedings.
Highly regulated industries, such as healthcare and financial services, will pay more non-compliance fines than others. Healthcare data breaches are far more expensive than the average breach, and that’s likely due to the industry’s extensive data privacy policies.
Those in highly regulated countries will also see higher penalties. Canadian organizations may be fined up to $100,000 (CAD) under the Personal Information Protection and Electronic Documents Act (PIPEDA), with similar fines for European Union (EU) members governed by the General Data Protection Regulation (GDPR).
How to lower your chances of a data breach
Every business has something a threat actor wants—IP, financial credentials, customer PII, or third-party supplier data. Breaches are becoming less a matter of “if” and more a matter of “when,” even for the smallest of businesses.
However, there are steps you can take that both lower the chances of a breach happening and lower the damage that occurs if one does.
Raise awareness company-wide
It’s true that some breaches are purposeful and malicious, like when a competitor knowingly targets your business to steal confidential corporate data or when a former disgruntled employee uses their old accounts to steal financial information.
Other times, however, breaches are unintentional. For example, an employee sends a report with confidential customer data to the wrong email address. Or an employee clicks on a link in a phishing email and unknowingly runs a file containing malware.
Cyber security is a shared responsibility. Cyber criminals sometimes focus on targeting people and accounts instead of systems, making employees a critical part of your company’s defence.
Educate employees on common attack tactics, techniques, and procedures, so they are better equipped to identify when they’re being targeted. Also, make sure employees know about and are following cyber security best practices, including using strong passwords and multi-factor authentication.
Reduce your threat surface
Your company’s threat surface consists of people and accounts, software, hardware, cloud-based services—basically anything an attacker can exploit. By understanding and reducing your threat surface, you’re also reducing attack opportunities for a cyber criminal.
Look to correct things like misconfigured software that might be leaving you vulnerable. Delete old accounts belonging to former employees, and ensure that current employees only have access to the data and systems necessary to carry out their usual tasks.
Keep all your software patched (running the most recent version). Patching can be tedious and time-consuming—sometimes requiring a reboot to complete—and it often feels like there’s a new update every other day. But patching is critical. New versions fix bugs, add new features, improve performance, and address security vulnerabilities.
Create and maintain data backups
A data backup is basically a copy of data that can be recovered later. There are many approaches to data backups—an external hard drive, using self-serve cloud storage, or working with a backup provider.
Every backup solution has its advantages and disadvantages. Take the time to select an approach based on your company’s unique needs; for example, saving business-critical data to an external hard drive might not make sense for remote-only organizations or for those without IT professionals.
Backups are a critical component of a recovery plan, making it easy to retrieve essential files after an attack or other event that compromised your data. Should an incident occur and limit access to critical files, having a reliable backup expedites recovery and gets you back to business faster.
Be prepared for an incident
There’s a growing divide in total breach costs between organizations prepared for an incident and those that are not. In fact, organizations that have an IR team and regularly test their IR plan pay USD$2.66 million less in data breach costs than those that don’t—a massive 58% in cost savings.
Effective IR planning is vital: the longer it takes a company to respond to a breach, the more costly it can be. After detecting an attack, how fast you respond may mean the difference between continued business and closing your doors.
An IR plan will typically include:
- An overview of objectives and scope
- Scenarios and incident examples
- Roles and responsibilities
- The incident response steps
There are IR plan templates and guidelines available, but creating your own is time-consuming and may be out of scope for many smaller businesses.
It’s often easier to invest in an incident response (IR) preparedness service, where you can work with experts to assess your company’s cyber security posture and develop a customized plan to lower the impacts of an incident.
Put the right solutions in place
It takes, on average, about 280 days to detect and contain a breach. To put that into perspective, that’s like saying an attacker gained initial access to your systems in early January and stayed until mid-October of that same year.
Why does it take so long to detect and contain breaches? It might be because many organizations don’t have the right level of visibility of their network, cloud-based services, and endpoints. Companies often stitch together numerous cyber security tools—a firewall, antivirus, maybe even an email filtering tool—to try to create a unified defence. The result, instead, is usually a defence filled with gaps and limited visibility.
Studies have found that using automated technology to identify and contain cyber security incidents instead of manual processes drastically decreases the breach lifecycle and, in turn, reduces breach costs. Organizations with fully deployed security automation resolved their breaches 74 days faster and paid $3.05 million less in costs than organizations without automation.
Covalence, our holistic cyber security solution, detects and responds to threats and vulnerabilities across your network, cloud-based services, and endpoints. And with automatic blocking against major cyber threats like ransomware and advanced persistent threats (APTs), you can sleep soundly knowing your cyber security is handled.
Other cyber security costs to know about
Taking these steps now will reduce the cost of a future data breach, potentially saving your business from months or years of recovery. Remember, a data breach is more expensive than investing in proper cyber security measures.
Discover what other costs you should consider when planning or evaluating your cyber security budget in our eBook, The True Cost of Cyber Security: Key Insights for Managing Your Budget.