There are certain questions in business that you never want to find the exact answer to. “How much would a data breach cost your business?” is one of those questions.
If you want to try and put a figure on it, however, Ponemon Institute’s Cost of a Data Breach Report 2020 states the average cost of a data breach is $3.86 million.
The Ponemon report highlights four reasons a data breach can cost so much: detection and escalation, notification, lost business and post data breach response.
Let’s examine each of these.
Detection and response: Activities that enable a company to detect and respond to the breach still need to be paid for. This covers forensic and investigative activities, assessment and audit services, crisis management, as well as communications to executives and boards.
Notification: This covers activities that enable the company to notify data subjects, data protection regulators and other third parties.
Lost business: Here, money is spent to minimise the loss of customers, business disruption and revenue losses.
Post data breach response: This covers activities to help victims of a breach communicate with the company and activities to provide redress to victims and regulators.
The biggest cost contributor is lost business: increased customer turnover, lost revenue from system downtime and the higher cost of acquiring new business with a diminished reputation.
According to Ponemon, lost business accounted for 40% of the average total cost of a data breach.
The most frequently compromised – and the costliest – data is personally identifiable information (PII). The average cost per lost or stolen record containing customer PII is $150. In a malicious attack, the cost rises to $175 per record.
There are three main causes of a data breach: malicious attacks (52%), human error (23%) and system glitches (25%).
One in five victims of a malicious data breach were infiltrated via stolen or compromised credentials. In these instances, the typical total cost was $4.77 million – nearly $1 million higher than average. Breaches due to cloud misconfigurations raised the $3.86 million average cost of a breach by more than $500,000, to $4.41 million.
In addition to being more costly, malicious breaches are harder to deal with. They take 315 days on average to detect and contain, compared to 244 days for a system glitch breach and 239 days for a breach caused by human error.
The cost of a data breach is higher for companies with complex security systems, caused by a multiplicity of technologies and a lack of in-house expertise. Cloud migration is also associated with higher-than-average data breach costs.
In terms of who bears the highest cost from a management point of view, CISOs and CIOs are particularly vulnerable – even though they might not be responsible.
Ponemon found 46% of businesses believed the CISO or CSO would be held responsible for a data breach, despite only 27% saying they are most responsible for cybersecurity policy and technology decision-making.
The three most effective ways to mitigate a data breach are security automation, forming an incident response (IR) team and testing the IR plan and business continuity management.
The Ponemon report indicates that businesses with an incident response team suffer a lower average cost due to a data breach compared to those without. Similarly, the average cost for those that fully deploy security automation is much lower than for those without it.
There are a number of measures you can adopt to minimise the impacts of a data breach:
Learn how you can protect your business from an expensive data breach.
Around the globe, our network reaches 184 countries.
We provide the underlying transport network, the virtual overlay, and the platform to prioritise everything.