This is part 1 of a 4-part series examining data breaches, what they cost, why they are increasing in frequency, and what you can do about them.
By just about every measure, 2015 was a record year for data breaches, and 2016 is on pace to beat it. Not only is the number of breaches increasing, but so are the costs. The Ponemon Institute’s 2016 study of 383 organizations worldwide found that the average cost of a data breach rose from $3.79 to $4 million over the previous year. If numbers like that make your eyes glaze over, let’s break them down into components any business can relate to: what really constitutes the cost of a breach?
Analysts point to two types of costs: direct and indirect. Direct costs start with the value of the strategic assets or intellectual property being stolen or compromised. Then there are the costs of notifying customers, complying with regulatory disclosure, setting up customer hotlines, offering credit monitoring for victims, and professional fees for public relations and crisis management. Indeed, breach response has spawned an entire industry unto itself. Breach investigation and remediation by outside experts is also a big business – and a big expense.
Another cost companies may not think about is the loss of productivity, as staff resources are diverted from everyday operations to crisis resolution. Finally, there are the costs of lawsuits, settlements and regulatory fines.
Indirect costs may take longer to become apparent, but can be even greater in the long run. They include damage to the organization’s reputation and brand value, loss of customer confidence (and customers themselves), a likely drop in a public company’s share price and market value, and a lower credit rating that translates to higher borrowing costs.
When you break the cost of a breach out into its many components, you can see why it adds up quickly – and understand better the potential financial impact on your organization. Breach prevention measures are essential, no question, but more and more companies are coming around to the reality that breaches are inevitable, and they have to start thinking about how to mitigate and minimize the cost of a breach once it occurs.
Here’s a starting point: researchers are finding that the cost of a breach rises or falls in proportion to the length of time an attacker is allowed to linger undetected in the data center environment. That’s known as “dwell time.” And that’s the topic of our next blog.