How much will your data breach REALLY cost?
The figures you see quoted for the cost of a data breach are usually alarming. But how do you relate these figures to your own business, asks Steve Mansfield-Devine...
It’s that time of year when IBM and the Ponemon Institute issue their ‘Cost of a Data Breach’ report. And the numbers are predictably worrying. The average impact of data breaches continues to grow, hitting an all-time high of $4.35 million. But what does this mean for your organisation?
“It is incredibly difficult for CISOs to understand how these figures impact their own business,” says Yakir Golan, co-founder and CEO of Kovrr, which specialises in risk quantification. “Data breach numbers are dependent on many factors including the type of data breached, the amount of data, the industry, and so much more.”
There are some obvious and immediate costs, such as remediation and even (possibly) ransom payments – although the latter are likely to have no real correlation to the value of your data. But the total impact goes way beyond that, both in time and money.
“More intangible losses, like loss of confidence or impact to future sales, are often beyond the scope of the CISO impact calculation,” says Mark Guntrip, senior director of cybersecurity strategy at Menlo Security.
It can take a long time for the real impact to become apparent.
“Not all the costs are clear from the beginning, right after the cyber incidents,” says Erfan Shadabi, a cybersecurity expert at comforte AG. He points to issues such as higher employee turnover, especially at the executive level. And the reputational damage can linger. “The marketing team will need to combat every Google search that refers to the recent data breach,” he says. “And then there is social media to deal with. All these activities will have a huge opportunity cost for marketing operations.”
Most companies carry out risk assessments, but these don’t necessarily map directly to the issues that are going to cost you money, such as notifying affected parties and fines for compliance infringements.
According to Golan, to understand how risk relates to concrete costs, CISOs need to perform cyber risk quantification calculations that take into account: threat intelligence data, including frequency data about cyber events; company data, including the company’s security posture; and insurance data – including how much past events cost companies.
Given the complexity of the calculations, it would be easy to throw up your hands and say ‘let the insurance cover it’. But claims for cyber incidents are also complicated and insurance may not cover all the costs.
“Most cybersecurity insurances won’t provide coverage for losses of intellectual property, or most policies won’t cover incidents knowingly caused by a business’s employee,” says Shadabi. “Also such insurance is expensive and small/medium size companies may opt-out of having cyber insurance altogether.”
You also have to ask whether you are insuring at the right level. A recent report by Menlo Security shows the growing gap between the perceived cost and actual cost of recovering from ransomware attacks.
And nearly a quarter of security professionals admit they don’t know the value of their insurance policy or if they have cover. While their estimates of the costs run to an average of $326,531, research by Sophos put the actual impact at $1.4 million.
Passing on the costs
The IBM/Ponemon report finds that an increasing number of organisations are passing on the costs of cyber breaches to their customers. And Golan is not surprised by this.
“The most advanced players in the market are pricing the potential exposure and liability associated with cyber events into the cost of the products and services they offer,” he says. “In many ways, I think that this is a more sustainable approach than just buying insurance that will still leave you with an effect on business performance and profitability if an incident hits your company.”
But while building in the cost of cyber protections might be seen as a reasonable ‘cost of doing business’, hiking up your prices to cover the expense involved in a breach that has actually happened is likely to cause even more reputational damage, as well as making you less competitive.
Counting the cost
The difficulty of the problem is no excuse for not getting to grips with the figures. A CISO should be able to go to the board and say, ‘a data breach will cost us X’, says Golan.
“CISOs need to quantify their organisation’s risk by using a business impact approach, allowing a better conversation around shared language, risk and cost,” he says. “Understanding your cyber risk in financial terms in a data-driven way is the right way to go; however, the challenge starts with creating the right updated datasets.”
Ultimately, though, putting a firm figure on a potential breach is never going to be easy. So maybe it’s better not to have a breach. John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at Manchester University, comments: “In addition to assessing risk, and maintaining cyber defences, businesses should also increase their focus on selecting products and services delivered with security by default and design.”