What is the true cost of a security breach?
Increasing cyber-criminality puts companies at risk of hacking, data breaches or other compromise. In the worst-case scenario, companies can be put out of a business by a security breach, but many losses are much less. For companies looking to mitigate this risk, how can they work out the true cost of a security breach?
Strategic security decisions need to strike a balance between cost, security and usability. However, assessing the cost of IT security risks is particularly difficult because there are so many unknown variables and differing accounts.
In June 2016, the Ponemon Institute’s Cost of a Data Breach study, declared that the average cost of a large data breaches is $4 million. That works out to be $150 per breached record, but some market analysts would put the figure much lower.
Contrast the above findings with a 2015 report by the US Federal Trade Commission (FTC), which categorized the various cost of cyber-attacks into data breaches, security incidents, privacy violations and individual financial crimes such as phishing and skimming incidents. While it estimated the total costs from cyber events at $10 billion annually, the FTC found the typical cost of a data breach to be under $200,000.
That is quite a difference – so who is right?
The last company to be driven out of business by a data breach was a high-risk payment processor, Cardsystems, over ten years ago. However, many companies have suffered severe financial losses. For example, Home Depot is still facing repercussions from a data breach in 2014. It recently agreed to pay banks an added $25 million - on top of $179 million already spent - for data breach settlements. And when Saudi Aramco was hit by the Shamoon malware, it had to replace 30,000 systems.
Comparing cyber-losses to other losses
The FTC says cyber incidents cost firms only 0.4% of their annual revenues, a fraction of the losses from retail shrinkage (1.3%), online fraud (0.9%) and overall rates of corruption, financial misstatements and billing fraud (5%).
“I suspect the actual cost of breaches is much lower than the industry tries to suggest,” security analyst Adrian Sanabria 451 Research told us.
Quantifying the cost of a data breach is not a precise science. Start with the direct breach costs, such as consumer credit monitoring, fines, lawsuit settlements and outside forensic investigation costs. The cost of improving IT security procedures and process is, arguably, an investment that should have been made in the first place.
In addition, there will be indirect costs which are open to interpretation, such as the price of reputational damage and its effect on the growth of the business, in both sales and the ability to attract new talent and partnerships.
Secondly, when researching breach costs, it’s important to separate security incidents from data theft. Security incidents can be much more damaging than data theft, because they often result in direct disruptions to operations.
Cyber insurance companies estimate data breach costs in policies designed for different industry verticals. For example, it’s possible to get cyber insurance coverage up to $30 million, according to Ethan Miller, partner at the San Francisco law firm Hogan Lovells.
Use your own assessment to weigh up these figures. “These figures represent the worst possible scenario,” says Liviu Arsene, Senior E-Threat Analyst at Bitdefender, “but they serve to put things in perspective in terms of how much a company could stand to lose.”
Technology and processes
Working out your priorities for investment is a strategic decision. It’s not a question of simply how much a company should invest in security. The goal is to put technology and processes in place that can mitigate business risk. Security is a work in progress that must be constantly shaped around each line of business and its changing needs.
When making a pro-security argument to the board one should project financial figures in terms of cutting operational costs, efficiency estimates and the current threat trends.
The weakest link in the security chain is the human factor and that should be the priority investment. This is why Shadow IT is so potentially damaging to enterprise security policies. To temper the downsides of BYOD a sizeable chunk of security budgets should be spent in employee training, covering topics such as how to identify spear-phishing attempts, handle company data and identify social engineering attempts.
Cybersecurity strategy should protect critical business assets like intellectual property, financial and customer data in order to ensure business continuity after a data breach. Encryption technologies for both in-transit and at-rest data is always vital, as well as backup and recovery and incident response strategies. Layered security defenses coupled with authorization, accounting, and authentication policies are designed to increase the cost of attack for cybercriminals and give them less of a target.
Enterprises should always identify critical assets before creating any security policies. All policy should involve access authorization based on strong authentication. Accountability technologies, that indicate compromises during or after a data breach, are vital. Measurement and monitoring are vital in security management and they only really work with accurate accounts of events.