No two words inspire a deeper feeling of dread in CEOs and CFOs than “data breach.” Most executives are queasily familiar with the glaring news headlines detailing the catastrophic consequences that corporations such as Target, Home Depot, Neiman Marcus and even the credit reporting agency Equifax have experienced after hackers compromised their customers’ digital information. Perhaps even worse, the federal Office of Personnel Management’s (OPM) network was infiltrated twice by hackers linked to the Chinese government who gained access to 5.6 million fingerprint records and 21.5 million Social Security numbers of federal employees. All of this attention has made many people wonder about the true cost of data breach as well as the most effective way for a business to respond to such a catastrophe.
Data Breach Defined
In the simplest terms, a data breach happens whenever an unauthorized person or entity gains access to information that is meant to be kept private. In terms of businesses, this data often includes personally identifiable information (PIE), personal health information (PHI), Social Security numbers, credit card data, software source code and corporate secrets. Hackers might simply view it without taking any immediate action, or they can co-opt the information for their own criminal purposes. Even years after the incident, bad actors can continue to exploit what they stole across the internet by taking advantage of the tendency of many users to recycle the same passwords. Information can be compromised for three main reasons: human error, glitches or vulnerabilities in the system and malicious attack. Regardless of what precipitates the data compromise, cyber security costs are significant.
The Financial Ramifications
The Ponemon Institute’s 12th annual Cost of a Data Breach study,” gives a quantitative snapshot of data breach cost, including factors such as causes and ways to mitigate them. The report covered the cost of data breaches in organizations based in 16 countries and regions and across 17 industries. According to the findings, the global average cost of a data breach during the nine-month period between July of 2018 and April of 2019 was $3.92 million, a 1.5 percent increase from the previous year. The highest average cost for a data breach occurred in the U.S. health care industry at a staggering $6.45 million. Another sobering finding was that the average attack-based data breach took 314 days to identify and neutralize. While 66 percent of costs are incurred during the first year of a breach, one-third of the financial effects do not manifest themselves until later. Considering that 51 percent of all breaches occur due to malicious activity, it is no wonder that the cost of cyber security is so high.
Shadowy perpetrators who lurk on the periphery of your network certainly deserve significant attention, but what about the other 49 percent of information compromise incidents? As it turns out, 25 percent come from vulnerabilities and failures in companies’ technology, and the remaining 24 percent arise from human neglect, carelessness and other errors. All of these can add to your cyber security cost.
Reducing the Monetary Consequences of a Data Breach
The institute’s report also clarified the nature of the most effective breach mitigation strategies. Of all the measures that were tested, formulating an incident response team proved to be the best way to lower cybersecurity cost to the tune of an average $360,000 cost per record data breach. This diversified group of skilled professionals is expert at identifying risks and vulnerabilities, using intelligence to detect and protect against threats, utilizing tactical and strategic methods to remove the threat and keep it from happening again and rebuilding the network after loss or breach. Implementing protocols such as encryption, employee training, artificial intelligence ((AI) platforms and ongoing staff training are also very effective defense mechanisms that can increase the cybersecurity protection structure for organizations both large and small.
The Lesser Known Toll of Data Breaches
As if the direct hit to your wallet was not enough, there are additional ramifications of system compromises. Incidents can often cause serious disruptions in your ability to do business. In addition, customers who have been victims of these incidents may take their commerce elsewhere. Frequently, companies are subject to regulatory fines and legal costs. In addition, they are usually expected to notify customers of the breach and provide free credit monitoring and identity repair, all of which can be very costly. Furthermore, the value of their stock often drops and can take years to recover. Finally, there are the unquantifiable losses of opportunity and competitive edge that inevitably occur and can set a company back months and even years.
Any robust cybersecurity approach must work to actively minimize the chances of system penetration and data breach while simultaneously planning ahead should the worst happen and information is lost or compromised. Diligent research, system monitoring and response planning are essential. Although companies can never eliminate the chances of cyber disasters, these actions can reduce their likelihood and severity as well as the length of time it will take for the organization to recover.