How do you measure the cost of a company data breach? You could try asking those that have been attacked. The IBM Security Cost of a Data Breach Report 2021 did just that, and the numbers reveal some hard truths.

For example, ransomware attacks cost an average of $4.62 million. These costs included escalation, notification, lost business and response costs. This total did not include the cost of the ransom — if it was even paid.

The economic impact of data protection bleeds well past typical bottom-line measurements. Let’s take a look at how much a data breach response really costs. Plus, we’ll explore key factors that mitigate or amplify the financial damage.

Unexpected Cost of a Data Breach

Let’s pretend a cybersecurity journalist notifies your company of a vulnerability in an image-sharing application. Let’s say 800 million or so images were exposed dating back to 2003. And maybe some images contained sensitive personal data, such as social security numbers and financial information.

Within days, your company issues a press release about the incident. You send a Form 8-K to the U.S. Securities and Exchange Commission. The breach was painful, but you’re all clear with the SEC, right? Well, if the SEC determines that your IT team identified the vulnerability several months earlier and did not inform leadership, you might be in trouble.

That’s exactly what happened to First American Financial Corporation. Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.

Meanwhile, Pearson plc, a London-based company that provides educational publishing services, agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion. The breach involved the theft of millions of student records, including dates of birth and email addresses. The SEC determined that Pearson did not have adequate disclosure controls and procedures.

The Business Data Breach Cost

Of course, the bottom line takes a direct hit in every data breach. The IBM report reveals that lost business represents the largest slice of breach costs, at an average total cost of $1.59 million.

Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.

Non-Business Cost of a Data Breach

The non-business elements of a data breach cost companies $2.65 million, according to the report. That’s 62.5% of the overall costs of a data breach. For the average $4.24 million data security incident, here’s the overall cost breakdown (and percentage of total costs):

  • $1.59m (38%) — Lost business costs, which include customer churn, downtime and new business acquisition costs
  • $1.24m (29%) — Detection and escalation costs, including hunting down and identifying the breach. Also includes getting key team members involved and/or any external services (forensic, legal, etc.).
  • $1.14m (27%) — Post-breach response cost to cover containment, eradication and recovery processes
  • $0.27m (6%) — Notification costs to inform regulatory agencies, partners, customers and the general public.

Zero Trust Saves $1.76 Million

What is data security when facing a breach without zero trust? It’s expensive. In the report, companies with mature zero trust saved $1.76 million per breach compared to companies with no zero trust.

A zero trust framework considers every connection and endpoint as a threat. This provides for both external and internal threat protection. A zero trust network:

  • Logs and inspects all corporate network traffic
  • Limits and controls access to the network
  • Verifies and secures network resources.

Compliance Failure Costs

Of 25 cost factors that either amplify or mitigate breach costs, compliance failure increases cost more than any other factor. Organizations with a high level of compliance failures (resulting in fines, penalties and lawsuits) faced an average cost of a data breach of $5.65 million.

Meanwhile, groups with low levels of compliance failures only spent $3.35 million. So being on the ball compliance-wise can save you $2.3 million or 51.1%.

Time and Cost Savings From Automation

Automation helps make day-to-day tasks easier for database security teams. But how does it affect costs in the event of a data breach?

Security automation augments or replaces human-based tasks in the identification and containment of incidents or intrusion. Artificial intelligence (AI), machine learning, analytics and automated security orchestration all come into play here. This is especially relevant in big data security and enterprise-level groups.

In the IBM study, organizations with no security automation saw average breach costs of $6.71 million. Those with fully deployed security automation spent $2.90 million on average, a savings of $3.81 million. This represented the biggest cost savings in the study.

When it comes to a data breach, another key factor is time. For groups with fully deployed security AI & automation, it took an average of 184 days to identify the breach and 63 days to contain the breach (total life cycle 247 days). For those with no AI/automation deployed, it took an average of 239 days to identify the breach and 85 days to contain (total life cycle of 324 days).

In both cases, the cycle times seem too long to bear. However, without the help of AI, a breach takes an average of 77 more days to detect.

Public, Private or Hybrid Cloud?

Does the type of cloud breach make a difference in cost? It makes a big difference. Here’s the breakdown:

  • Public cloud breaches cost an average of $4.80 million
  • Private cloud breaches cost an average of $4.55 million
  • Hybrid cloud breaches cost an average of $3.61 million.

So hybrid cloud breaches cost 28.3% less than incidents that occur in public cloud architectures.

Vulnerability Assessment Review

There are many factors involved in vulnerability analysis. Still, if you want to save money on cleaning up after a data breach, here are some tactics that will make a difference:

  • Implement mature zero trust
  • Remain vigilant and proactive with compliance/regulation
  • Deploy security automation
  • Use a hybrid cloud over a fully public or private cloud.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…