What is the cost of a data breach?

Year after year, data breaches are getting more expensive.

According to IBM's Data Breach Report 2021, the average total cost of a data breach has climbed to $4.24 million. IBM also says the cost of a data breach has increased by 11.9% since 2015.

Let's take a look at a few ways a data breach can cost your company.


Monetary costs

There are numerous ways a data breach can hit your company's wallet (or bank account).


Ransom payments

Ransom payments have skyrocketed in only a few years.

Palo Alto Networks points out that, in 2016, their consultants routinely saw ransom payments of $500 or less. But in 2022, the average ransomware payment is just shy of $1 million.

That figure alone should motivate any business to avoid a data breach or cyber incident. As the Palo Alto study also states, the $1 million price tag includes only the ransom and does not take into account the other costs such as remediation expenses, downtime, reputational harm, and other damages.

To increase the odds the ransoms will be paid, threat actors have started posting stolen data on the dark web to embarrass victims and strongarm them into paying up. This tactic ensures that even if you pay the ransom, the ransom itself will not be the only cost you and your business incur.

As more people buy ransomware kits on the dark web, we can expect the number of ransomware incidents to rise. And as the threat actors are more successful in receiving ransom payments, we can also expect the ransom demands to continue rising.

The ransom payments are high enough to put many companies out of business. But the company may experience the same fate if the ransom is unpaid and the data can't be restored. This situation creates a lose/lose for most companies unfortunate enough to get hit with ransomware.


Remediation expenses

Chances are that cleaning up a data breach will not fall under the costs of your day-to-day operations. You will need to investigate the breach and diagnose the situation. Then you have to eliminate the threat and improve your systems to stop repeated attacks.

There's a good chance that you'll need to enlist additional help from a third party. Or your current employees may be working overtime to fix the breach.

The IBM study mentioned above estimates that businesses need an average of 75 days to contain a data breach. Every passing day means your remediation expenses will only grow and grow.


Stolen funds

A data breach may enable a threat actor to commit wire transfer fraud to steal funds transfers intended for other parties. In these scenarios, threat actors monitor email activity. If they see an email containing wiring information for an outbound transfer, they manipulate the information to include their routing credentials.

Worse yet, wire fraud may not be covered by your cyber liability insurance. Depending on the details of your policy, the wire transfer may fall under the insurer's definition of a social engineering attack.


Legal costs

The legal costs of a data breach will vary depending on a company's industry and the data it holds. As Dark Reading points out, data breaches often result in the compromise of crucial information like client materials, medical records, Social Security numbers, and addresses. Data which can aid in identity theft can have obvious monetary benefits for the threat actors. The release of health information may give victims concern about employment discrimination.

Also, in the case of the healthcare industry, disruptions due to a data breach can lead to loss of human life.

Depending on the specifics, the compromised data can be of great value. We can expect the affected parties to react with legal action proportional to the value of that data.


Downtime and loss of productivity

To repeat a point from IBM's Data Breach Report 2021: Businesses need an average of 75 days to contain a data breach.

For 75 days, your employees can't focus on its normal business to generate revenues. And salaried employees may be sitting around, twittling their thumbs for two and a half months.

And when you do finally get back to business, you have to play catchup. You've lost so much momentum. Who knows how long it can take for your employees to get their groove back.


Loss of clients and contracts

This point is a bit of a continuation of the one above.

If you're unable to fulfill your obligations, clients will understandably look for someone else to fill their needs. They may take their business elsewhere, leaving you wondering how you're going to meet next month's payroll.


Incalculable costs

Some costs are difficult to put a dollar amount to. That doesn't mean they're any less valuable or concerning.


Loss of intellectual property and competitive advantage

Intellectual property includes numerous facets, each with their fair share of costs.

Intellectual property is proprietary, unique to your company. It may may give you a leg up on the competition. Once that intellectual property is exposed to the public, you have may have lost a vital competitive advantage, making your company no more viable an option than anyone else. On top of that, now all of your company's research and development costs have gone down the drain, benefiting those who didn't pay their fair share for the information or technology.


Reputational damage

Perhaps you've heard the adage:

It takes many good deeds to build a reputation, and only one bad one to lose it.

Years of relationship-building and goodwill can go down the drain because of one security incident. Business that you could count on year after year can be gone in the blink of an eye.

Another piece of folk wisdom says that if you make people happy, they might tell one person; but if you make them angry, they'll tell the whole world.

This concern does not apply only to former or potential clients—it also applies to former and potential employees, which can make hiring great qualified candidates even more difficult.


Recurring incidents

Threat actors like to keep things simple. When possible, they prefer to stick with what works.

If you don't make proper adjustments after one data breach, you can rest assured you will most likely have another data breach.

And for every additional breach, you can multiply the costs and effects of one data breach, increasing the stress for your company and remaining clients and employees.


Breach fatigue

Breach fatigue is the exhaustion that lingers long after a data breach has come and gone. It's an accumulation of all the points listed above (and those not included).

You can call it "burnout" if you like, but in this case, a data breach is the root cause.

Breach fatigue may be accompanied by apathy, leading employees not to do their part to lessen the odds of another data breach.
And so, the cycle is destined to repeat.