How to calculate the cost of a data breach?
The COVID-19 pandemic has expedited the transition to remote work and the digitalization of business. Hybrid workforces and virtual engagements are the new norms. These new ways of conducting business have led cyber incidents to proliferate. In today’s digital economy, data is the most valuable asset a business holds as it is at the heart of all business activities. With e-commerce driving most industries, data has become crucial for business success or failure. The value of your data cannot be emphasized enough. Therefore, a data breach is a very real concern that a business must take seriously.
In this article you will learn:
What is a data breach?
How is the Data Breach cost estimate obtained?
Where do the Data Breach costs come from?
How to reduce the cost of a past data breach?
What is a Data breach?
A data breach is a security violation, in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. Improper management and sharing of sensitive data can also be considered a data breach and lead to costly penalties.
How is the Data breach cost estimate obtained?
Each year, IBM and Ponemon Institute publishes its Cost of a Data Breach Report wheredata from 17 countries and regions and 17 industries are compared and analyzed to estimate the cost of a data breach per record. It also analyzes data breach trends and the factors that mitigate or increase the cost of a data breach. The following interesting conclusions, among others, can be drawn from the data in the IBM report:
- The average cost of a data breach reached a record high in 2022 from $4.24M in 2021 to 4.35 million in 2022
- The per-record cost of a data breach hit a seven-year high. The global per-record cost of a data breach in 2022 was USD 164, a 1.9% increase from USD 161 in 2021
- Healthcare was highest cost industry for the 12th year in a row. The average total cost of a breach in healthcare increased from USD 9.23 million in the 2021 report to USD 10.10 million in 2022
- The top five countries and regions for the highest average cost of a data breach were the United States at USD 9.44 million, the Middle East at USD 7.46 million, Canada at USD 5.64 million, the United Kingdom at USD 5.05 million and Germany at USD 4.85.
- Detection and escalation costs surpassed lost business costs as the largest of four cost categories comprising the cost of a data breach, for the first time in six years. Broken down into four cost categories — lost business, detection and escalation, notification, and post-breach response — the largest share of data breach costs in 2022 were detection and escalation.
- Data breaches in high data protection regulatory environments, such as the healthcare, financial, energy, pharmaceuticals, and education industries, tended to see costs accrue in later years following the breach.
- Stolen or compromised credentials were the initial attack vector with the longest mean time to identify and contain the breach. Breaches caused by business email compromise had the second highest mean time to identify and contain, at 308 days. Business email compromise was also the second costliest initial attack vector, with breaches costing an average of USD 4.89 million. Breaches caused by phishing had the third highest mean time to identify and contain, at 295 days, and had the highest average cost by initial attack vector, at USD 4.91 million. Vulnerability in third-party software had the fourth-highest mean time to identify and contain a breach, with an average that was above the overall average — 284 days versus 277 days.
Where do the Data Breach costs come from?
When you examine where the costs come from in the case of a data breach, where data is lost or stolen, there are many different areas where your business can be affected by a data breach. In the calculation of data breaches, there is the use of a costing methodology called activity-based costing. This kind of methodology identifies activities and assigns a cost according to actual use. Some of the activities can be the following:
- Conducting investigations and forensics to determine the cause of data breach
- Organizing the incident response team
- Conducting communication and public outreach
- Preparing documents and other required disclosures to data breach victims and regulators
The following are some of the activities conducted after the data breach has taken place to ensure recovery from the data breach. They can include:
- Audit and consulting services
- Legal services for defense
- Legal services for compliance
- Free or discounted to victims of the data breach
- Identity protection services
- Lost customer business
- Customer acquisition and loyalty program costs
- Once the company estimates a cost range for these activities, the cost can be further categorized as direct, indirect, and lost opportunity as defined below:
- Direct costs are the expenses for dealing with a detected breach. This includes the costs of forensic and investigation activities, fines, and compensation to affected parties.
- Indirect costs are connected with the time, effort, and other resources necessary to cover losses from the data breach. Indirect costs include expenses for communications regarding the status and effects of the breach; issuing new accounts, credit cards, and credentials; and lost revenue from system downtime.
- Lost opportunity costs account for lost business opportunities as a consequence of reputational harm. For example, a breach can lead to a loss of potential customers, a pitfall in profits due to a loss of reputation, or a loss of competitive advantage in the market.
Other core process-related activities drive a range of expenditures associated with an organization’s data breach detection, response, containment, and remediation. These four cost centers are:
- Detection and Escalation: Activities that enable a company to reasonably detect the breach, can include forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards.
- Notification: Activities that enable the company to notify data subjects, data protection regulators, and other third parties. They can be emails, letters, outbound calls, general notices to data subjects, determination of regulatory requirements, communication with regulators, and engagement of outside experts.
- Post-breach response: Activities to help victims of a breach communicate with the company and redress activities to victims and regulators. Help desk and inbound communications, credit monitoring and identity protection services, legal expenditures, product discounts, and regulatory fines.
- Lost business: Activities that attempt to minimize the loss of customers, business disruption, and revenue losses. Business disruption and revenue losses from system downtime, cost of losing customers and acquiring new customers, reputation losses, and diminished goodwill.
Here is a list of some of the latest data breaches in 2022:
- Plex: Streaming platform Plex suffered a data breach impacting most of its users, approximately 20 million.
- Optus: Cybercriminals gained access to Optus’ internal network, gaining access to a customer data base pertaining to up to 9.8 million customers. It was speculated that the cybercriminal group gained access through an unauthorized API endpoint, meaning a user/password or any other authentication method wasn’t required to connect to the API.
- Uber: A threat actor managed to get access to Uber’s vulnerability reports, the company’s internal systems, email dashboard, and Slack server jeopardizing Uber services. American Airlines discloses data breach after employee email accounts & unconfirmed personal data compromised.
- Mailchimp: Mailchimp fell victim to a data breach after cybercriminals gained access to a tool used by internal customer support and account administration teams following a successful social engineering attack. However, this initial breach was just the preliminary stage of the entire cyberattack plan.
Businesses should be aware that these types of costs can remain long-term, lasting even years down the road. The effects are long-lasting!
How to reduce the cost of a past data breach?
Assessing your security risks is a good start at improving your cyber defenses. It’s pertinent to find out what can harm your organization the most. To accomplish that, you can conduct a risk assessment — a practice that helps you identify: sensitive data, threats to an organization, the potential impact and likelihood of those threats, and business risks posed by these threats. Making an Incident Response team and implementing an incident response program can reduce the average cost of a data breach significantly. Threat detection time and mitigation play a crucial role in forming the cost of a data breach. The most efficient way to detect security threats in a fast manner is by monitoring activity in your network and notifying you of any odd and risky actions. Leveraging Artificial Intelligence (AI), Identity and Access Management (IAM), Multifactor Authentication (MFA), and implementing a zero-trust approach can improve your security posture and safeguard your business from threats lurking.
Rainbow Secure Single Sign On with multi-layer graphical security and advanced security protection is ideal in today's world of hybrid work and increased data sharing. Consult Rainbow Secure Team to save your business from these data breach costs and use that money to grow your business.