What is the real cost of a data breach? To your organization, that can mean a number of things. A data breach costs you in the value of the data lost, as well as its consequences to your operations. There are also possible ransomware pay-offs, not to mention significant time and effort in incident response and recovery. A breach is further a highly visible dent in your security armor and, subsequently, a serious threat to your public reputation. It compromises your customers’ or patients’ right to privacy, as well as their trust in you to defend it—potentially costing you permanently lost business.
Many organizational and IT leaders, with perfectly good intentions of balancing budget priorities, address regulatory compliance requirements but skimp on other important IT security investments that could elevate their security posture and reduce risk. This includes going with lowest-price audit providers in lieu of ones with deep expertise. Like most things, IT security assessments are a “you get what you pay for” world, and saving a little now could cost you dearly later.
Let’s step back and examine data breaches—Why do they occur? What do they cost you? And how can you defend your organization’s assets with wise investments?
Why Do Data Breaches Occur?
A data breach isn’t always a cyberattack. IBM Security’s Cost of Data Breach Report 2020 breaks data breaches down into three categories: malicious attacks, system glitches, and human error. Seventy-five percent of the time, data breaches can be attributed to employee involvement—be that accidental or intentional. And of the 52% of malicious attacks, the majority use stolen credentials, a breakdown in the supply chain, or a misconfiguration of a cloud system to find their way in.
Worth noting is that phishing, BEC scams, and social engineering account for 22% of attack fronts. Even within the category of malicious attacks, human error is pervasive, because hackers know the human element is usually your weakest link.
So there is no universal answer as to why data breaches occur. They’re almost always unexpected and have the potential to become even more problematic if they’re not noticed until well after the fact. While machine errors can be quantitatively easier to detect, social engineering scams and other human-based attack fronts are a little trickier, which is why it’s important to build a culture of reporting any and all suspicious digital or physical security activity promptly to your IT team.
Like most IT security concerns, threat vectors are varied and complex, which is why your security policies need to be adaptable, comprehensive, and always capable of rising to the occasion. How you go about mitigating disaster will have tangible consequences for your organization’s pocketbook—which brings us to…
What Do Data Breaches Cost You?
Much like what causes a data breach has distinct variables, cost calculations for a data breach largely depend upon what kind of organization you are, what data you deal in, the size of your customer base, and the actual extent of the damage done. This is why it’s critical to know your worth, literally—which of your assets are the most valuable to hackers? How can you compensate for potential downtime? Are you keeping your employees, clients, and supply chain informed?
The cost of breaches can also be impacted by the accuracy of your security lens going into the breach. If you’ve had a recent IT Risk Assessment to understand your total security picture, or you’ve been keeping up your scanning via Vulnerability Management, you’re likely to proactively prevent or quickly detect and cut off a breach, thereby reducing costs.
To begin to determine the cost of a data breach, we can ask a few questions:
- How are you detecting and de-escalating the breach? What security measures do you have in place, and what measures have you taken in the past (e.g. an IT Security Assessment)?
- What are you doing to communicate? It’s important to get the word out to your clients, but to cover all your bases, you should have open lines of communication with legal experts and regulatory consultants.
- How are you maintaining regular functionality? Data breaches can cause downtime for your online services, which can deal a blow to your revenue and your reputation.
- What will the aftermath cost you? It’s not just about the cost of stripped data. Breaches can come with potential fines and legal fees, particularly if your organization fails to notify its clients of danger to their private information.
Then there’s the type of data involved. When it comes to the costliest, most frequently targeted category, customer PII (personally identifiable information) outpaces the others by far. Although the cost per record can vary across countries and industries, American healthcare records are worth the most money (and one of the highest-risk types of data). And of all types at risk (customer and employee PII, intellectual property, etc.), IBM reports that the average cost per record in small and large breaches is $146.
Unfortunately, that isn’t taking into account the more insidious mega breach: any data breach involving more than one million records stolen. According to IBM, in 2020, the total cost of a mega breach by number of records lost could be anywhere from $50 per record to $392 per record.
In April of this year alone, Facebook suffered a data breach worth over $3.7 billion after malicious actors exploited a vulnerability in a now-defunct site feature. Phone numbers, dates of birth, location, full names, and addresses for approximately 533 million accounts were among the data lost, although the company chose not to notify affected users.
In January of 2020, Microsoft reported a breach of approximately 250 million records; including email addresses, IP addresses, and chat logs; costing around $1.8 billion. The admitted cause? “[Misconfiguration] of an internal customer support database”.
Just two months later, Marriott warned that data for 5.2 million of their guests was at risk after hackers stole two employees’ login credentials. Names, addresses, and some phone numbers and emails were exposed, for a total estimated cost of $50 million.
Thankfully, there’s good news all around for anyone cringing at the price tags above: bolstering your IT security takes a noticeable chip out of potential costs.
What Investments Have the Best ROI?
Easily, the most cost-effective solution is risk management and incident response. IBM notes that practices like attack simulations, formulating response plans, and putting them to the test can save your organization over $230,000 in the case of an actual breach.
The key is ensuring that your entire team gets involved. It’s not enough to drill your IT team—you should be rolling out security awareness to everyone, from HR to sales. Security awareness training often involves simulated phishing attacks and other forms of social engineering, to test your employees’ recognition of and response to suspicious activity.
An IT Risk Assessment is a smart choice for financial institutions looking to understand risk across their total security picture. This in-depth assessment, and subsequent remediation, are also a smart way to prepare for your next regulatory audit to help avoid costly fines. BAI’s IT Risk Assessment comes with several customizable options:
- Natural & Man-Made Threats
- Physical & Administrative Security
- Cyber Security
- Physical Security for Additional Locations
For real-world rigor, you might check out our Red Team Assessment, which makes use of present-day methodologies and attack fronts to test your organization’s defenses against a skilled human attacker. All of our assessments are executed by our team of seasoned experts and tailor-made to meet your needs—because no two cyber-threats, or organizations, are the same.
Take a step toward cost-effective security and compliance, and contact us today.