Examining the Financial Consequences of a Data Breach
The likelihood of a company, big or small, facing a security incident has increased, and an estimated one in three organizations will fall victim in the next two years. As long as cybercriminals can make a profit from consumer and business data on the Dark Web, organizations will continue to be targeted by hackers. Businesses must be empowered to better protect and prepare their organization against a data breach. The consequences are costly, but the good news is the damages, and the expense, can be mitigated.
For the 14th year in a row, the Ponemon Institute conducted a study detailing the financial burden data breaches pose on organizations. In 2019, the global average cost of a data breach has increased to $3.92 million, a growth of 12 percent in only five years. The United States ranks first in costs related to security incident recovery, spending on average $8.19 million.
Here are other key findings from the 2019 Cost of a Data Breach Report, and how you can better protect your company from the costly threat:
Who is Behind the Scenes of a Data Breach?
If you think a deviant hacker hiding behind a computer screen is responsible for most business data breaches, you are correct. The three common root causes of security incidents include malicious attacks, which are the most prevalent and expensive, followed by a failure to patch workstations and servers in a timely manner, and human error. Although there is no sign of hackers slowing down, developing your cybersecurity policy and training your employees can reduce the risk of human error.
The longer your business information — and that of your customers, employees, and companies you do business with — is left accessible to cybercriminals, the pricier the damage becomes. The total lifespan from the time of detection to the containment of the breach has increased by nearly 5% from 2018, now averaging 279 days — and time is money. It takes security teams substantially longer to identify and contain a breach in the case of a malicious attack, meaning companies must be vigilant and responsive. As soon as a sign of a data breach surfaces, your breach response team should be ready to take action. The faster a security incident can be identified and contained, the lower the long-term costs.
Costly Consequence for Data Breaches
Unfortunately, data breach recovery is not a one-time cost. The financial damage begins before the breach is detected and long after it is contained. Although IT and Information Security (InfoSec) teams may allocate a budget to be used in case of an event, there are often hidden long-term costs. In the first-year post-breach, companies typically pay 67% of the total cost of a breach, with 22% of breach costs accruing in year two, and 11% in year three — what Ponemon refers to as the “longtail” of a breach.
Small to Medium-Sized Businesses (SMBs), those with less than 1,000 employees, spend an average of $2.65 million, or $3,533 per employee. Compared to larger organizations paying $5.11 million, or $204 per employee, the high price tag on SMBs impedes their ability to recover financially from the incident. Reports show that 60% of SMBs who suffer a security breach close their doors within six months.
The loss of customer trust becomes an additional severe financial burden that is difficult for any company to bare, especially a small business. From revenue loss due to business disruption and system downtime, to customer churn and new customer acquisition costs after the loss of trust, this lost business represents a hefty average price of $1.42 million. Costs that are often part of the “longtail” of the breach include legal expenses, identity theft protection for customers and employees, and other discounts and incentives to retain a business’s customer base.
Reduce the Chance of a Data Breach
Awareness, software updates, and training are at the top of the list of ways to mitigate against a data breach. Consider including the following aspects in your organization’s InfoSec plan to reduce your vulnerability:
- Installing patches to workstations and servers in a timely manner. As soon as a new breach is announced, malicious actors will use it immediately. The longer you wait to patch a known vulnerability, the greater the risk of being breached.
- Installing modern anti-malware on workstations and servers, and keeping it up to date. Modern cyberattacks are extremely sophisticated and the anti-malware tools that were introduced years ago are no longer adequate.
- Providing security awareness training to employees, updating it regularly to keep it fresh and top of mind, and testing their knowledge, such as through simulated phishing attacks, to reinforce the training.
Mitigating the Costs of a Data Breach
One of the most important topics for IT and InfoSec teams is breach preparedness, which can limit the damage from a breach incident. The top mitigating factors include forming an incident response team, thorough use of data encryption, and extensive tests of an organization’s incident response plan. These considerations individually can save over $320,000 in data breach costs. If you are working with a small security team, invest in technologies that help improve how quickly your business can detect and contain a data breach. By encrypting your digital data, your information will be useless to cyberthieves that attempt to hack your organization. The more confident your team is with your response process and safeguarding your data, the quicker they will be to react and contain the threat, the cost, and the fallout.
Focusing on the retention of your customers and employees is a critical component in reducing the costs of a data breach. Organizations that offer identity theft protection to clients or as an employee benefit may profit from less turnover and reduce the fallout from an incident.
Tips to Protect Your Small Business from a Data Breach
- Have a data breach response plan ready. Make appropriate updates to your company’s incident response plan and create a habit to practice with all necessary personnel.
- Make a suitable increase in your security budget. Ensure your IT team is considering long-term costs when budgeting for a data breach. The more money allocated into securing your business upfront, the less financial damage will result in the longtail of a breach.
- Properly secure all business documents. If a document includes any type of personal or sensitive information, your company is responsible for protecting it. Train your employees to securely back up current data and safely dispose of outdated documents.