Understanding the True Cost of a Data Breach

Understanding the True Cost of a Data Breach

DB Cost thumbAccording to the Ponemon Institute, the average cost of a data breach now exceeds $3.8 million. Yet while the nominal cost of a data breach is painful, it often pales in comparison to the lingering after-effects.

Upfront costs tend to be obvious: the cost of internal investigations and the costs of implementing improved technology. Meanwhile, indirect costs may be more subtle and more pervasive, sometimes lasting months (or even years). These hidden costs need to be factored in when you’re planning your protection against the latest malware threats and perhaps as part of the case you make for an increased budget to fund improved security.

The Hidden Cost of a Data Breach

When an organization experiences a data breach, it must first repair its system. While the system is under attack, the organization may experience some level of business disruption, and it may need to pay an IT team or technician to restore the system. However, this is only the start.

Investigation costs. To protect itself in the future, the organization must launch an investigation into what caused the attack and which vulnerabilities were used to initiate it. If the organization has been struck by crypto-malware, for example, that crypto-malware must be identified and measures put into place to prevent that strain from becoming a problem again.

Sometimes a professional security audit may be needed to review network activity data to discover the root cause of a security breach. This is especially true if employee error or a lack of adherence to internal security processes is at fault, as an internal audit may not reveal procedural flaws in a company’s security.

Remediation costs. As a result of a successful attack, the data breach impact often includes the compromise of customer, employee, and vendor data. All compromised users need to be alerted to the data breach. In some cases, the company may need to pay for things such as credit freezes and credit reports for the impacted users.

There have been several high profile cases in which a lack of adequate security ultimately led to an organization having to pay damages directly to users. If a company’s security is fundamentally and negligently flawed, it may be required to reimburse customers for their inconvenience.

Legal costs. A company that suffers a data breach is liable for compromised data and possibly for other legal considerations such as negligence. It may be necessary to retain legal counsel to determine whether there may be any negligence or further responsibility on the company’s part.

Even if a company is not to blame, there will be legal fees associated with analyzing the situation and mitigating damages to the standards required by law. A legal team may be called in to advise the company regarding issues such as required reporting standards.

Finally, in a worst-case scenario, the company may find itself having to defend itself from a shareholder or customer lawsuit.

Customer churn. 70% of customers will stop following a business after a data breach. There will always be customers who no longer feel comfortable doing business with a company that has experienced a breach, especially if that breach led to identity theft or other user-related issues. When customer churn occurs due to a data breach, the company has effectively lost the remaining lifetime value of that customer and must invest more money to acquire new customers.

It’s often estimated that customer acquisition costs about five times more than customer retention, making customer churn extremely expensive. A company may need to invest a significant amount in rebuilding its customer base.

Stock impact. Dealing with a data breach is an extremely visible issue especially with new reporting requirements such as those implemented in GDPR, and can adversely impact the company’s stock price. Investors may be wary of dealing with a company that appears to have lax cybersecurity, especially in a world in which cybersecurity is becoming far more important.

Recently, Facebook saw a slide in its stock prices as over a billion dollars in fines were levied against it. In this way, losses can be magnified through reduced valuation.

Brand and reputation. Data breach impact reaches further than just customer churn, it can also have a chilling effect on the reputation of the brand. A highly publicized data breach is going to be associated with the company in a consumer’s mind for some time, although it may be impossible to accurately quantify the cost in terms of an adversely impacted brand identity of a data breach.

Over time, a company may recover – but that may be too late for some. Many small businesses and mid-sized businesses shut down entirely following a data breach, as they may never fully be able to restore their cash reserves and their customer base.

Prevention is the Best Medicine

While a breach impact may be severe, it’s also avoidable. Indeed, the best way to deal with the data breach fallout is to prevent it altogether. Compared to the cost of a data breach, the more predictable pricing of effective network security technology is extremely reasonable. Modern businesses are investing in next-generation advanced threat detection solutions as a way of protecting themselves from the latest attacks.

Network security solutions are able to identify even zero-day threats by analyzing potentially malicious behavior rather than relying on known signatures or simply flagging every network activity anomaly, which generates excessive false positives. Best-practice systems also use machine learning to further improve detection skills, learning how the network environment works and identifying unusual activity with even greater accuracy.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin

Latest posts by Bert Rankin (see all)