So what’s the real cost of a data breach?
A data breach can be defined as an event in which sensitive or protected data has been accessed and/or disclosed in an unauthorised manner.
These may include personal health information, personally identifiable information, trade secrets or intellectual property.
The most common data breach exposures are personally identifiable information such as full names, credit card numbers and social security numbers along with corporate information, such as manufacturing processes and customer lists.
The three main causes of a data breach are a malicious or criminal attack, system glitch or human error. The cost of a data breach can vary according to the cause and the safeguards in place during the data breach.
How do they occur?
They can be attributed to weak passwords, the exploitation of missing software patches or lost and stolen laptops and devices.
Social engineering can cause users to provide their login credentials directly to cyber criminals or through subsequent malware infections. These credentials can allow cybercriminals to gain entry to sensitive records and may even go undetected for months. Third-party company partners are a common target for cybercriminals, and often help them gain access to larger companies.
Although hackers and cybercriminals often cause data breaches, there are also instances of accidental data breaches. This is where companies and government agencies accidentally expose sensitive data online. These incidents are usually caused by an organisation’s misconfiguration in cloud services and not enforcing the appropriate access controls.
What are the costs?
Historically, it has been difficult to measure the precise cost of a data breach.
Companies have typically been reluctant to disclose the amount of money they’ve spent restoring order, or the decline in sales after a data breach.
According to a Ponemon Institute study, the average total cost of a data breach to a company is $3.86 million or $148 on average per stolen record!
The study also estimated that a typical company has a 26% chance of experiencing a 10,000+ record data breach within the next 24 months.
In other words, one in four companies will lose $1.5 million or more on a data breach over the next two years.
Those figures may seem frightening, but there have been bigger financial hits. Equifax’s SEC filing revealed that the company has already spent $1.4 billion recovering from its 2017 data breach. The data breach revealed the sensitive information of nearly 148 million customers.
What are the legal costs of a data breach?
The legal costs tend to be the most visible costs. The total legal costs of a data breach can often be larger than the amount announced due to the costs of lawsuits and private settlements. Consumer class action suits and settlements have cost organisations such as Target and Home Depot tens of millions of dollars.
Data breaches can lose business and damage your reputation
Although company pay-outs for lawsuits, government fines and other direct costs of a data breach attract more attention. The major costs can lie in bad publicity and a damaged reputation.
As consumers become more aware of the growing number of data breaches, they begin to recognise the power they have in their business relationships. If an organisation is breached, consumers will move their business to competitors that are perceived to be more secure.
The Ponemon Institute’s Cost of a Data Breach report revealed that if a company loses less than 1% of its customers due to a data breach, the average total cost of a data breach is $2.8 million!
But if the loss of customers was 4% or higher, the average total cost is $6 million, a difference of $3.2 million.
TalkTalk serves as a great example of reputational loss due to a data breach. In 2015, TalkTalk suffered a data breach and the sensitive information of 150,000 customers was stolen, including bank account details of almost 15,000 customers. TalkTalk lost 95,000 subscribers, costing them $76 million.
A data breach doesn’t only damage an organisation’s reputation with customers. After suffering from a major breach, Yahoo! Lowered its asking price by $350 million to be acquired by Verizon.
But what about regulatory fines?
There are two new laws that are shaping data breach implications for organisations.
- Europe’s General Data Protection Regulation (GDPR) which gives supervisory authorities the ability to fine businesses up to 4% of revenue if they fail to protect sensitive data of European citizens.
- In the United States, New York follows a cybersecurity law that places new obligations on banks, insurance companies, and other financial services firms. The NYDFS Cybersecurity Regulation enforces firm cybersecurity rules, including installing a comprehensive cybersecurity plan, appointing a Chief Information Security Officer, enacting a detailed cybersecurity policy, and initiating and maintaining of an ongoing reporting system for cybersecurity events. Although the cost of breaking regulation is unknown, penalties will be calculated for violations and organisations can expect heavy fines.
What can you do to prevent a data breach?
The first step is ensuring basic, well-known security protocols are in place. This includes conducting continuous vulnerability and penetration testing, implementing malware protection, ensuring employees are using strong passwords and regularly implementing necessary software patches on all systems.
Although this will help to prevent intrusions in an environment, encrypting sensitive data is crucial, regardless of whether it’s stored inside an on-premises network or a third-party cloud service.
If there is a data breach, encryption will prevent hackers and cybercriminals from accessing your data.
Organisations should also have an incident response plan that can be applied when a breach occurs. An incident response plan details the appropriate procedures for identifying, containing and quantifying a security incident. Ongoing security awareness training can be used to promote those policies as well as to educate employees.