Can you afford a data breach? Probably not

Everything is getting more expensive these days, and data breaches are no exception. Find out what’s sending the costs of breaches soaring, and what you can do to turn it around.

IBM teamed up with Ponemon for the annual Cost of Data Breach study. The overall trend this year is that costs are up, getting closer to all-time highs, and in some ways, costing more than ever.

While we’ll be looking specifically at the cost of data breaches in the United States, the report also includes global options and breakdowns by country.

The magic number

$6.5 million.

That’s the average total cost of a data breach in 2015, and it’s up 11% from the 2014 results, which were $5.85 million per breach.

But as IT pros well know, talking about a data breach as if it’s one type of incident isn’t quite accurate. There are myriad causes of these devastating security breaches and each have their own unique impact.

For those surveyed by Ponemon, the top root cause of data breaches in 2015 were malicious or criminal attacks (including malicious insiders) – in other words, hacking. That made up nearly half (49%) of breach incidents.

The remaining root causes were system glitches (32%) and human error (19%).

Breaking down the cost by the type of incident shows there’s some fluctuation in costs depending on root cause, but most incidents fall in the same ballpark. The per-capita cost of incidents were:

  • malicious or criminal attacks – $230
  • system glitches – $210
  • human error – $198.

Where costs come in

There are a variety of costs associated with any data breach. And in most cases, the fallout from these breaches actually turns out to have the biggest financial impact.

Some of these costs include:

  • Detection. The average detection and escalation costs of a data breach rose to $610,000 in 2015, an all-time high, and up from $410,000 in 2014.
  • Notification. Costs for alerting customers and others to the breach reached $560,000 in 2015, slightly above the 10-year average.
  • Post-breach costs. Those who think data breaches are one-time incidents should re-evaluate. In 2015, post-breach costs reached $1.64 million on average. This includes things such as help desk activities, inbound communication, investigations, remediation, regulation costs and identity protection services for customers or victims.
  • Lost business costs. Perhaps one of the hardest to quantify, but also the most costly results. The survey found that companies that suffered a data breach lost an average of $3.72 million. The number was arrived at by accounting for unusual business turnover, increased customer acquisition costs and less quantifiable factors, such as “reputation losses” and “diminished goodwill.”

Cost-only approaches won’t work

Those of you thinking that this information is going to be ammunition for your next board meeting, take note: Talking about breaches in dollars and cents won’t always work.

Some organizations can accept the possibility of a data breach as a calculated risk. Others take the “It’ll never happen to me” approach (that is, until it does).

Using costs as a way to boost security requires some tact. Here are things you may want to consider:

  1. Find similar costs. Telling a government organization how much the Target breach cost is about as useful as a retail IT manager telling his or her board about the latest IRS breach. If you can’t draw a one-to-one comparison between two incidents, the argument is going to fall on deaf ears.
  2. Quantify risk and cost. Avoid the trap of talking impossibly high figures when making small changes. Quantify the risk of individual aspects of the business. So instead of saying “The average data breach can cost $6.5 million, which is why we need to upgrade our firewall,” talk about the cost of using an outdated firewall specifically and how much the replacement would be.
  3. Focus on users. It may be hard to imagine a cyberattacker hitting your company and taking it for all it’s worth. But the C-level does know its own people – for better or worse. Remind them that even the good-intentioned, smart people they’ve hired can make a single mistake or bad decision that could cost the company millions. That’ll convince them security is worth the investment not for large-scale attacks, but as a good common-sense measure to protect your organization.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy