This post was originally published October 31, 2016 and has been updated for accuracy and comprehensiveness
A recent study by Radware and Merrill Research found that the average cost of a data breach has spiked significantly, increasing from $3 million per incident in 2018 to $4.6 million in the first half of 2019 alone.
There are countless factors that could affect the cost of a data breach in your organization, and it’s virtually impossible to predict the exact price tag. You might be able to estimate a range with the help of a data breach calculator, but no single tool is perfect.
Calculating The Cost Of A Data Breach: Factors You Should Keep In Mind
Several factors come into play when determining the precise data breach costs that organizations may incur. Understanding these costs and how and why they arise can help you better understand cyber risk and put in place the appropriate cybersecurity controls and best practices to mitigate a breach and the associated financial impacts.
1. Location, Type of Currency, and Company Size
Even simple things like exchange rates of the currency your business predominantly uses can impact the cost of a cybersecurity breach. If you’re a small shop that deals with limited (or no) customer data, the cost of a data breach may be significantly lower than what a larger corporation may experience.
2. Industry and Type of Data or Records Held
The type of data lost in a breach is one of the largest contributing factors to the cost of a data breach.
The loss of email addresses may not involve as big of a payout as the loss of personally identifiable information (PII), sensitive customer data (like social security numbers), payment card information, private health information (PHI), etc. The more sensitive the record is, the more costly the breach will be. For example, if you lose payment card information, you may need to offer free credit monitoring to those affected. Or, if you’ve compromised customer health data, you may be subject to regulatory fines from governmental agencies.
3. The Root Cause of the Breach
The root cause of a breach can certainly influence the number or type of records lost, which correlates to the cost of a data breach. For example, was the breach caused by a third-party? In a recent study, the Ponemon Institute found that “breaches involving third-party organizations remained the most costly.” Reducing your third-party cyber risk through continuous monitoring can help offset these potential costs.
If you’re breached, this could slow, disrupt, or completely halt your operations. For example, if you’re a retail business, it could mean a loss in sales. If you’re a service business, it could mean the loss of the ability to provide customer support.
5. Breach Aftermath
If a company suffers a data breach that is the result of poor security practices, it may want to double down on its security investments—which will come at a cost. Some hardware or software may require replacement or security upgrades post-breach. And some organizations may realize they are understaffed with security professionals and need to hire a new IT professional, CIO, or CISO.
6. Investigation Costs
If you need to bring in a third-party to investigate your data breach—or even the FBI—these services will cost you up to six or seven figures, depending on the size of the attack.
7. Public Disclosure
If people are no longer willing to use your services or purchase your product after a large data breach, your bottom line, stock price, and company reputation could be at stake.
8. Class-Action Lawsuits
If you experience a class-action lawsuit as the result of a cyber-attack, the data breach cost will clearly be driven up. It also means that the breach that occurred was significant, typically involving the compromise of many records with critical customer impacts.
Cyber insurance—which can cover some cost of an information security breach—is a worthwhile investment given the scope of cyber risk. However, cyber insurance is not a catch-all. Organizations still need to be proactive in their approach to security, less insurance fails to adequately cover their risk exposure and data breach costs. Organizations must show the insurers, the Board, and other stakeholders that they’re serious about security by implementing a prolonged and proactive approach to cyber risk management.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...