[BreachExchange] Just How Expensive are Data Breaches?

Destry Winant destry at riskbasedsecurity.com
Thu Sep 12 10:11:34 EDT 2019


The cost of a data breach is not just limited to regulatory fines, but
extends to more significant losses to the business and even hampers
customer trust

Security incidents and data breaches are becoming increasingly costly.
Some recent examples include $53 million costs to the Canadian lender
Desjardins Group in the wake of a breach that exposed PI of 2.9
million members. Manufacturer Norsk Hydro also revealed that the final
bill for its cyber attack could be as high as $75 million. Marriott
and British Airways have had to add $100 million into the final cost
of the incidents after falling foul of GDPR.

While these are high-profile examples of the extreme ends of the
scale, the impact of suffering a data breach, financially, continues
to increase for companies of all sizes. A report by IBM and the
Ponemon Institute states that the average cost of a data breach in
2019 is $3.92 million.

By 2021, almost 30% of organizations globally are likely to suffer at
least one breach. The highest cost is faced by US organizations with
an average of $8.19 million per breach, while in the UK it costs $3.88
million per breach. The cost of each record accounts to $150 on
average globally; $242 in the US and $155 in the UK. This final cost
per record is affected by factors relating to the preparedness of an
organization and its reaction to the breach. As customers become less
accepting of security failures, a breach is likely to create a
customer turnover of 3.4%.

During a breach, time is money and slow detection and containment of a
breach can make it more costly. Globally, South African (226 days) and
German (170 days) organizations are quickest at finding and containing
breaches and companies in Brazil (361) and the Middle East (381) take
the longest. Among the sectors, healthcare, entertainment, and public
sector organizations take the longest time to find and contain a
breach. The financial services, research, and technology sectors are
the quickest at discovery and remediation.

With the introduction of GDPR and many more legislations appearing
across the globe, compliance is becoming an essential part of the cost
of a breach. The U.S. alone has 52 different state privacy laws.
Experts believe that when these breaches occur, very often companies
do not have experts in each of these in house. The need to hire and
outsource security experts is expensive, and companies that are not
willing to pay for the expertise suffer the regulatory fines, which
are increasingly becoming steep.

The best way to keep data breach costs low is to be prepared for
eventualities. Experts believe that there is a lot more needed than a
paper that says, ‘Here are the contact details for the security team.’
There is a need to rehearse through multiple scenarios in an immersive
environment and test plans, identify gaps, and then contain those.

Another crucial part is the public response. Companies cannot afford
to lose customer trust as it ultimately leads to a business loss and
can increase the overall cost of the breach. According to experts,
effectively getting messaging out to clients or consumers about what’s
going on can be an opportunity to build a lot of goodwill. When
handled correctly, it can build confidence in customers but requires
preparation and training in advance.

More information about the BreachExchange mailing list