How do you measure the cost of a company data breach? You could try asking those that have been attacked. The IBM Security Cost of a Data Breach Report 2021 did just that, and the numbers reveal some hard truths.
For example, ransomware attacks cost an average of $4.62 million. These costs included escalation, notification, lost business and response costs. This total did not include the cost of the ransom — if it was even paid.
The economic impact of data protection bleeds well past typical bottom-line measurements. Let’s take a look at how much a data breach response really costs. Plus, we’ll explore key factors that mitigate or amplify the financial damage.
Unexpected Cost of a Data Breach
Let’s pretend a cybersecurity journalist notifies your company of a vulnerability in an image-sharing application. Let’s say 800 million or so images were exposed dating back to 2003. And maybe some images contained sensitive personal data, such as social security numbers and financial information.
Within days, your company issues a press release about the incident. You send a Form 8-K to the U.S. Securities and Exchange Commission. The breach was painful, but you’re all clear with the SEC, right? Well, if the SEC determines that your IT team identified the vulnerability several months earlier and did not inform leadership, you might be in trouble.
That’s exactly what happened to First American Financial Corporation. Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.
Meanwhile, Pearson plc, a London-based company that provides educational publishing services, agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion. The breach involved the theft of millions of student records, including dates of birth and email addresses. The SEC determined that Pearson did not have adequate disclosure controls and procedures.
The Business Data Breach Cost
Of course, the bottom line takes a direct hit in every data breach. The IBM report reveals that lost business represents the largest slice of breach costs, at an average total cost of $1.59 million.
Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
Non-Business Cost of a Data Breach
The non-business elements of a data breach cost companies $2.65 million, according to the report. That’s 62.5% of the overall costs of a data breach. For the average $4.24 million data security incident, here’s the overall cost breakdown (and percentage of total costs):
- $1.59m (38%) — Lost business costs, which include customer churn, downtime and new business acquisition costs
- $1.24m (29%) — Detection and escalation costs, including hunting down and identifying the breach. Also includes getting key team members involved and/or any external services (forensic, legal, etc.).
- $1.14m (27%) — Post-breach response cost to cover containment, eradication and recovery processes
- $0.27m (6%) — Notification costs to inform regulatory agencies, partners, customers and the general public.
Zero Trust Saves $1.76 Million
What is data security when facing a breach without zero trust? It’s expensive. In the report, companies with mature zero trust saved $1.76 million per breach compared to companies with no zero trust.
A zero trust framework considers every connection and endpoint as a threat. This provides for both external and internal threat protection. A zero trust network:
- Logs and inspects all corporate network traffic
- Limits and controls access to the network
- Verifies and secures network resources.
Compliance Failure Costs
Of 25 cost factors that either amplify or mitigate breach costs, compliance failure increases cost more than any other factor. Organizations with a high level of compliance failures (resulting in fines, penalties and lawsuits) faced an average cost of a data breach of $5.65 million.
Meanwhile, groups with low levels of compliance failures only spent $3.35 million. So being on the ball compliance-wise can save you $2.3 million or 51.1%.
Time and Cost Savings From Automation
Automation helps make day-to-day tasks easier for database security teams. But how does it affect costs in the event of a data breach?
Security automation augments or replaces human-based tasks in the identification and containment of incidents or intrusion. Artificial intelligence (AI), machine learning, analytics and automated security orchestration all come into play here. This is especially relevant in big data security and enterprise-level groups.
In the IBM study, organizations with no security automation saw average breach costs of $6.71 million. Those with fully deployed security automation spent $2.90 million on average, a savings of $3.81 million. This represented the biggest cost savings in the study.
When it comes to a data breach, another key factor is time. For groups with fully deployed security AI & automation, it took an average of 184 days to identify the breach and 63 days to contain the breach (total life cycle 247 days). For those with no AI/automation deployed, it took an average of 239 days to identify the breach and 85 days to contain (total life cycle of 324 days).
In both cases, the cycle times seem too long to bear. However, without the help of AI, a breach takes an average of 77 more days to detect.
Public, Private or Hybrid Cloud?
Does the type of cloud breach make a difference in cost? It makes a big difference. Here’s the breakdown:
- Public cloud breaches cost an average of $4.80 million
- Private cloud breaches cost an average of $4.55 million
- Hybrid cloud breaches cost an average of $3.61 million.
So hybrid cloud breaches cost 28.3% less than incidents that occur in public cloud architectures.
Vulnerability Assessment Review
There are many factors involved in vulnerability analysis. Still, if you want to save money on cleaning up after a data breach, here are some tactics that will make a difference:
- Implement mature zero trust
- Remain vigilant and proactive with compliance/regulation
- Deploy security automation
- Use a hybrid cloud over a fully public or private cloud.