Business Journal Ask the Expert Column – March 2020

Our CEO insists that the cost of a data breach is overblown and that because we’re not a global company our risk is actually lessened. Can you give me some insights to open his eyes before our next management meeting?

Data breaches are among the most costly events that can happen to any business or organization. The immediate costs and damage can easily run into the millions and overwhelm even the best run organizations. But the long-term ramifications on business, on relationships, on sales, and on your brand can lead to financial ruin, if the incident response is not managed properly.

To complicate matters, the data breach lifecycle is growing. Over half of all data breaches are considered malicious breaches, or breaches initiated by an individual or group with the intent of doing your business grave harm.

According to Varonis’ article, 107 Must-Know Data Breach Statistics for 2020, on average, it takes 314 days for an organization to identify, contain, and mitigate a malicious breach. Even worse, stopping malicious breaches can cost as much as 37% more than other breaches (IBM Security, Cost of a Data Breach Report 2019). That means, if you’re like most organizations, the primary focus of your recovery efforts can’t begin until you’re almost a full year into the process.

The Greatest Financial Threat in the History of Modern Business

The old proverb, “An ounce of prevention is worth a pound of cure,” needs to be modified for the modern world of cyberattacks. Today, “An ounce of prevention is worth a ton of cure,” and probably more. Varonis states, the costs of data breaches have skyrocketed every year since 2014 with seemingly no end in sight. The numbers are staggering and ongoing losses continue for years.

  • $8.2 million – average cost of a data breach in the U.S.
  • 67% of breach costs occur in year one
  • 22% of breach costs accrue in the year following the breach
  • 11% of costs happen in years two and beyond after the breach

Commercial Markets are at Substantially Greater Financial Risk

Within the world of the commercial market lies the misconception that because a business is not global, the loss and the disruptive impact of a data breach will be small. Actually, the exact opposite is true. While high-profile breaches of “mega-companies” make sensational headlines, the per capita cost of a data breach for a smaller company can potentially result in losses that could permanently damage the organization’s financial viability. The larger the organization, the deeper the coffers, and the better equipped the staff will be to respond to a data breach and recover from the loss. The numbers from Varonis and IBM Security tell the story clearly.

  • $204 – Data breach cost per employee in companies with over 25,000 employees
  • $3,533 – Data breach cost per employee in companies with 500 – 1,000 employees
  • 1,632% – Percentage increase in data breach cost per employee between small and large companies

The Big Losses: Loss of Business, Loss of Trust, Loss of Customers

Beyond data loss, and system and network damage, loss of business and loss of intangibles can weigh heavily on your financial recovery post-breach.

IBM Security describes the average cost of lost business resulting from a breach approached $1.5 million in 2019. How businesses handle damage control and customer relations following the incident is the ultimate determining factor as to how quickly revenues return; although, permanent loss of business is an inevitability within a certain subset of customers and business partners.

More importantly, expect the cost of customer acquisition and reacquisition to increase for an average of five years after a breach happens. All the goodwill and equity built into relationships can evaporate in an instant when a breach is announced. So, it’s best to enlist a public relations firm or a consultant with a proven record in damage control situations.

There’s no reason to ignore the financial peril that data breaches represent. If nothing else, suggest to your CEO that an incident response (IR) team is needed and to develop an incident response plan for your organization. Then hold simulated data breach practice sessions to hone your team’s skills. It’s a strategy that could pay big dividends. Companies that have IR plans and conduct tabletop exercises, save close to $1.25 million on average, in the event of a breach, states IBM Security.