What is the cost of a data breach?
Year after year, data breaches are getting more expensive.
According to IBM's Data Breach Report 2021, the average total cost of a data breach has climbed to $4.24 million. IBM also says the cost of a data breach has increased by 11.9% since 2015.
Let's take a look at a few ways a data breach can cost your company.
There are numerous ways a data breach hits your company's wallet (or bank account).
Ransom payments have skyrocketed in only a few years.
Palo Alto Networks points out that, in 2016, their consultants routinely saw ransom payments of $500 or less. But in 2022, the average ransomware payment is just shy of $1 million.
That figure alone should motivate any business to avoid a data breach or cyber incident. As the Palo Alto study also states, the $1 million price tag includes only the ransom and does not take into account the other costs such as remediation expenses, downtime, reputational harm, and other damages.
To increase the odds the ransoms will be paid, threat actors have started posting stolen data on the dark web to embarrass victims and strongarm them into paying up. This tactic ensures that even if you pay the ransom, the ransom itself will not be the only cost you and your business incur.
As more people buy ransomware kits on the dark web, we can expect the number of ransomware incidents to rise. And as the threat actors are more successful in receiving ransom payments, we can also expect the ransom demands to continue rising.
The ransom payments are high enough to put many companies out of business. But the company may experience the same fate if the ransom is unpaid and a lack of a data backup and disaster recovery plan leaves them high and dry. This situation creates a lose/lose for most companies unfortunate enough to get hit with ransomware.
Recovering from threatware will not fall under the costs of your day-to-day operations. You will need to investigate the breach and diagnose the situation. Then you have to eliminate the threat and improve your systems to stop repeated attacks.
You may need to enlist help from a third party. Or your current employees may be working overtime to fix the breach.
The IBM study mentioned above estimates that businesses need an average of 75 days to contain a data breach. Every passing day means your remediation expenses will only grow and grow.
A data breach may enable a threat actor to commit wire transfer fraud to steal funds transfers intended for vendors or lenders. In these scenarios, threat actors monitor email activity. If they see an email containing wiring information for an outbound transfer, they manipulate the information to include their routing credentials.
Worse yet, wire fraud may not be covered by your cyber liability insurance. Depending on the details of your policy, the wire transfer may fall under the insurer's definition of a social engineering attack.
The legal costs of a data breach will vary depending on a company's industry and the data it holds. As Dark Reading points out, data breaches often result in the compromise of crucial information like client materials, medical records, Social Security numbers, and addresses. Data which can aid in identity theft has obvious monetary benefits for the threat actors. The release of health information will give victims concern about employment discrimination.
Also, in the case of the healthcare industry, disruptions due to a data breach sometimes lead to loss of human life.
If the compromised data is of great value, we should expect the affected parties to react with legal action proportional to the value of that data.
Downtime and loss of productivity
To repeat a point from IBM's Data Breach Report 2021: Businesses need an average of 75 days to contain a data breach.
For 75 days, your employees will be unable to focus on its normal business to generate revenues. And salaried employees will be sitting around, twittling their thumbs for two and a half months.
And when you do finally get back to business, you have to play catchup. You've lost so much momentum. Who knows how long it will take for your employees to get their groove back.
Loss of clients and contracts
This point is a bit of a continuation of the one above.
If you're unable to fulfill your obligations, clients will look for someone else to fill their needs. They will take their business elsewhere, leaving you wondering how you're going to meet next month's payroll.
Some costs are difficult to put a dollar amount to. That doesn't mean they're any less valuable or concerning.
Loss of intellectual property and competitive advantage
Intellectual property includes numerous facets, each with their fair share of costs.
Intellectual property is proprietary, unique to your company, giving you a leg up on the competition. Once that intellectual property is exposed to the public, you have lost competitive advantage, making your company no more viable an option than anyone else. On top of that, now all your company's research and development costs have gone down the drain, benefiting those who didn't pay their fair share for the information or technology.
Perhaps you've heard the adage:
It takes many good deeds to build a reputation, and only one bad one to lose it.
Years of relationship-building and goodwill go down the drain because of security events. Business that you could count on year after year may be gone in the blink of an eye.
Another piece of folk wisdom says that if you make people happy, they might tell one person; but if you make them angry, they'll tell the whole world.
This concern does not apply only to former or potential clients—it also applies to former and potential employees, which will make hiring great qualified candidates even more difficult.
Threat actors like to keep things simple. When possible, they prefer to stick with what works.
If you don't make proper adjustments after one data breach, you can rest assured you will have another data breach.
And for every additional breach, you can multiply the costs and effects of one data breach, increasing the stress for your company and remaining clients and employees.
Breach fatigue is the exhaustion that lingers long after a data breach has come and gone. It's an accumulation of all the points listed above (and those not included).
You can call it "burnout" if you like, but in this case, a data breach is the root cause.
Breach fatigueis accompanied by apathy, leading employees not to do their part to lessen the odds of another data breach.
And so, the cycle is destined to repeat.