Could data breaches be less costly than we all thought?

IT-technician

The average cost of a data breach is almost impossibly hard to determine, but that hasn’t discouraged many from trying. And while the figures researchers come up with are usually downright scary, recent research says it could be much less than we all thought – less than half of a percent of annual revenues.

According to information in The Journal of Cybersecurity gathered by a Rand study, Examining the Costs and Causes of Cyber Incidents, the financial fallout of an incident is typically less than $200,000, or .4% of a company’s annual revenues.

That figure puts losses associated with cyber incidents as less damaging than retail shrinkage (1.3%) or online fraud (.9%).

Limitations

The study is built on research of incidents between 2004 and 2015. But it works mostly from available data such that is publicly disclosed and accounted for.

That means it doesn’t include breaches or other incidents that aren’t publicly disclosed or even discovered, making the information somewhat limited. There’s no perfect system, however: Even publicly disclosed data on costs could vary wildly depending on what companies consider to be incident-related or not.

There are also often not always laws dictating that breaches or other incidents need to be disclosed legally. That leaves it up to companies whether to come forward or not in many cases. And the study author, Sasha Romanosky, notes that it doesn’t include all associated costs, such as time spent replacing a fired CEO.

What it means for you

But as Romanosky tells Dark Reading, “Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think.”

Essentially, companies aren’t incentivized to invest further in cybersecurity because they can usually weather the fallout of an incident easier than some worst-case scenarios would have you believe. If a CEO thinks the financial losses from a breach or incident would be mostly negligible, there’s little reason to pull out all the stops and double down on preventive security.

As the study summarizes:

“On one hand, an executive who is skeptical of security investments may believe that unless a firm incurs a breach every year, it is wasting its IT security investment every year it does not suffer a breach. Alternatively, it may imply that a firm can expect to lose the equivalent of its IT security budget each time it suffers a data breach or security incident.”

Getting the message out

While this appears to be a well-run study, it is just one study – and your security plans shouldn’t go out the window based on it.

What you should do if you still want to win support for IT funding:

  • Consider all the fallout. In addition to dollars-and-cents estimates of the cost of an incident, be sure to share the other, less numbers-based fallout. Think things like opportunity costs from focusing on the breach or damage to your reputation.
  • Share practical ideas. It’s not about asking for funding to have the freedom to acquire more services. Figure out the security services that would actually meet your needs, then go out and make the ask to address them.
  • Share outliers. For most companies, the effects of a breach may be survivable. But there are instances where it isn’t. Those deserve mention just as much as the average case does.