Illustration of a hacker's hand during a databreach

The Costs of a Data Breach

If you are in leadership at your organization, just the thought of a data breach likely causes you to lose sleep at night. There are so many ways your organization is vulnerable to a data breach, the prospect of mitigating all of them seems daunting amidst all the everyday work to be done. It is also difficult for most organizations to understand that investing in good cyber defense pays dividends for your organization in the long run. Making the case to your leaders, board of directors and shareholders that there is a need to invest in Cybersecurity, Security Operation Centers, and managed security services starts with understanding what a breach of your systems might cost your organization.

How hard would it be to run your business if you did not have access to your data or if your systems were down for 20+ days? Would that hurt your business, delay your growth, or shut down your business altogether? How much information do you think a hacker could get out of your company in 9 months if they just sat and watched?

In 2022, it took an average of 277 days, around 9 months, to identify and contain most data breaches. That is 9 months for hackers to download your data, look around at all your IP, and eventually affect your business in ways you may not be aware of. In the United States, data breaches averaged $9.44M each to identify and remediate, $140-$160 per record compromised.

System breaches can affect companies of all sizes. Many larger companies can absorb some of the costs of ransomware attacks, and according to Coveware, the most targeted companies in 2022 were SMBs with <1000 employees.

Good cybersecurity monitoring, usually through a Security Operations Center (SOC), should be ever-present and allow you to focus on higher priorities within your business.

There are 12 main costs that come with a system breach:

Ransom Demands

This is the obvious one, hackers want to get paid. According to Sophos’s State of Ransomware 2022 report, the average ransom payout was $812,360. Through their surveys, Coveware found a $228,125 average payout, and median payout of $36,360. According to IBM, ransom demand complete incident costs in 2022, rose in 2022 to 4.49M if you pay, and 5.12M if you do not. Ransomware breach’s costs are based on activities that will affect your business no matter if you pay or not, such as detection of the attack, loss of business due to system downtime, cost to notify customers and legal costs.

It is good to remember that these hackers are smart and they do their research on your company before offering a ransom. They will know what may hurt your business the most and what you can afford to pay out. The cost of a ransom varies based on the industry and size of the business, and it typically ranges from 1%-5% of annual revenue. Hackers may also offer incentives to pay faster.

Can your organization survive a large or prolonged system outage and a large financial payout to get access to your compromised data back? It is worth considering cyber insurance that will help with the payout of the ransom. Your insurance rates will vary based upon your ability to mitigate a cyber-attack. More on that later in this article.

Compromised Data

When you think about data at your organization that is valuable, be sure to include personally identifiable information (PII) and intellectual property (IP). Your company’s most valuable assets and the secret to your company’s future success is in your IP and your ability to keep your customer’s data safe. Hackers can do a few things with compromised data. They can sell it to the highest bidder, they can try to extort the victims contained in the data, and they can encrypt your data so you cannot get access to it without paying them, just for starters.

How much PII, names, social security numbers, addresses, medical records, financial records, passwords, and credit card numbers, are available in your systems from your costumers, your staff, and your business? We suggest having a security team monitoring that data, ensuring access is limited to trusted sources. What would happen to your company if all that data were wiped, encrypted, or compromised?

Downtime

What is the value of your data to your business by the hour? By the day? What about 24 days, the average downtime from Ransomware in Q2-2022?

A recent study done by the CyberEdge Group stated the average cost of downtime caused by a ransomware attack to be $5.1 million per organization. This includes the cost of lost productivity and revenue, IT labor, and post-attack expenses such as cybersecurity remediation, legal fees, and loss of customers.

Incident Response and Recovery

If you encounter a breach, time is not on your side, and you must act as quickly as possible to minimize the damage. Responding to an incident will add up quickly and can take months of work to remediate. You will need to hire experienced external security support to help mitigate and recover from the incident. As you know, nothing costs more than when you have an emergency.

Your team will need to be pulled from other tasks to quarantine the threat, review logs and activities to determine the severity and vulnerabilities in your system, repair and replace infected systems, and harden your systems from future attacks. This could take days, weeks or even months; and the longer it takes, the more it costs your organization.

Lost Business

A breach can cost you more than money and time. The business lost during your downtime will be just the tip of the iceberg. The biggest sustained loss you will suffer will be that of your current customers. After you send out the required breach notifications to your customers, depending on your industry’s regulations, your customers will begin to evaluate their choice to trust your organization. If your organization is mostly online, you will be the hardest hit, as 81% of customers stop engaging online with an organization after a data breach.

Breach Notifications

You are going to need to notify the appropriate parties of your breach including law enforcement, affected audiences, and if there was health information, HHS.

Hopefully, you have thought ahead and have a communications plan in place. Be sure to determine your legal requirements. All 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have legislation in place requiring notification of security breaches involving personal information. You are going to need to notify all the affected audiences including employees, customers, investors, business partners and other stakeholders. In many cases, you will be required to notify by mail. Think of just the cost of stamps alone for those physical breach notifications?

This will be the notification that will cause the most reputation damage and should be handled with white gloves. Don’t withhold key details that will help consumers protect themselves, and don’t publicly share information that could put more consumers at risk.

Find out more from the FTC.

Reputation Damage

When your company suffers a data breach, you will suffer some level of reputation damage. The tools and systems you have in place before the breach will help you mitigate the damage, and the lack of tools will be something you may have to explain.

If your organization suffers a data breach, you will have to share this information with your customers. Having a good plan for how you respond will be the most effective way to minimize damage. The more prepared you are for a data breach, the less likely it happens, and if it does, you will be able to share how you were prepared and what steps you are taking to reassure them your brand is trustworthy in the future.

Compliance and Regulatory Fines

Depending on your industry, you are subject to strict guidelines regarding your customer’s data. Failure to meet these compliance requirements will result in fines, penalties, and lawsuits; not to mention loss of certifications allowing you to compete for business.

Getting your organization to invest in data security upfront is the goal of regulatory bodies. Fines vary from country to country and industry to industry, so it is hard to say what to expect for your organization, but it surely is designed to hurt your bottom line.

Time to Discovery

When it comes to a data breach, time is not on your side. The more time a hacker has in your environment, the more access they can gain.

The average time taken for organizations to contain data breaches in 2021 was 287 days. Breaches with a lifecycle of over 200 days had an average cost of $4.87 million compared to $3.61 million for breaches with a lifecycle of fewer than 200 days.

Security Operation Centers (SOCs) are a key tool in discovering and responding quickly to unusual behavior on your systems. With the main purpose of keeping your systems secure, a SOC, like MPGSOC, can shorten the time to discover and even prevent most attacks from happening.

Legal Costs

When a breach occurs with customer data, you can be sure there will soon be lawsuits to follow. The more regulated industries, like healthcare and financial services, will have the costliest lawsuits. Also, companies that fail to adequately respond to known vulnerabilities are responsible for damages once they are uncovered. These costs can vary by industry and by regulations.

Employee Responses

When a cyber-attack happens at an organization, employees bear the stress of the situation. The more impactful the attack on the business, the more impactful it will be on morale, interoffice relationships, careers, productivity, and performance.

Costs of a successful ransom attack may also cause layoffs, employee turnover, and difficulty recruiting new employees. According to a study in 2022 by Cybereason, 35% of companies who were in a ransomware attack suffered c-suite resignations, and 40% of companies laid off staff.

Loss of Business Connections

Your business depends on your connections to other businesses, and these connections go both ways. If a hacker can exploit your business, it may expose the companies you are connected with to more risk, a risk your industry partners may not be willing to take on. Investors and shareholders may become hesitant to invest or even start selling off stock. Vendors and suppliers may change their terms of service or stop working with you all together to distance themselves from the exposure you bring them.

Increased Insurance Costs

Cyber Insurance is now a regular part of today’s business insurance packages. Although having cyber insurance allows you to cover many of the financial costs associated with a breach, your premiums are sure to rise after a data breach, if you are even insurable. On the opposite side of the coin, having good cyber hygiene and constant monitoring before a breach could help to bring your premiums down.

How to best avoid a security breach

The first step to avoiding a security breach is understanding your vulnerabilities and making a plan to monitor and mitigate those vulnerabilities. Conducting a Cybersecurity Gap Assessment can help you better understand where you are most vulnerable, where your planning and training may be behind, and find where your biggest threats may come from and what it will take to plug those holes and minimize the damage to your organization.

Working with a cybersecurity firm that specialize in managed SOC services; governance, risk, and compliance; as well as penetration testing ensures your reviews will be comprehensive. Oftentimes, the organization that found the gaps is the one that can help you reduce your risk effectively.

More information: How to Minimize the Cost of a Cyber Attack

‍

Sources: