As we have seen over the past year, data breaches are affecting more and more companies at greater costs. Despite this, outdated security software and procedures remain prevalent amongst even some of the biggest companies in the world with a common reason being the cost of implementing new security software and procedures is too high. However, when we look at the cost of dealing with a data breach we see that the price of change is a small one to pay.
Extent of Breaches: Which Industries, How Many Companies and What Data?
The number of data breaches in the United States hit a record high of 791 in the first half of 2017, jumping 29 percent over the prior year. According to a new report from the Identity Theft Resource Center and CyberScout, the business category had more than half of all reported breaches, followed by the health care sector, with 30.7 percent of breaches, and educational institutions, with 11.3 percent. The financial and government/military sectors had a little more than 5 percent each.
Since most industries are not required to report detailed breach information, the exact number of records and complete data specifics cannot be known. However, experts estimate at least 12 million records were exposed in the first six months of 2017. The known stolen data includes banking information, credit card numbers, medical files and Social Security numbers.
Globally since 2013, more than 9 billion records have been lost or stolen. That equates to 59 stolen or lost records every second.
Activities and Types of Costs Related to Data Breaches
Data breaches generally involve two types of cost:
- Direct costs, where expenses are directly attributable to accomplishing certain activities, such as the fees paid to an attorney to deal with post-breach liability.
- Indirect costs, where expenses are not directly attributable to a specific action but arise as a result of it, such as the loss of loyal customers over time.
Typical activities involved in the discovery of the data breach and the immediate response include:
- Investigating the root cause of the data breach.
- Identifying the probable victims of the data breach.
- Determining and organizing an incident response team.
- Communicating with the public.
- Preparing required disclosures of the breach to victims and regulators.
Typical activities involved in the aftermath of the breach include:
- Audit services.
- Legal services for compliance.
- Training for staff.
- Outreach to customers.
- Implementation of new security measures and systems.
Data Breach Costs and Factors Affecting the Amount
Though every data breach is different and companies handle the processes differently, reported data shows trends in costs and the variables that impact costs:
- The average total cost of data breach is $7.35 million.
- Data breaches increase in expense the more records that are lost; the average total cost of data breach ranges from $4.5 million to $10.3 million, for breaches with less than 10,000 records to those with 50,000 or more.
- Data breaches cost an average of $225 per compromised record; $146 relates to indirect and opportunity costs, and $79 pertains to direct costs, such as legal fees and new technologies.
- Costs are higher in regulated industries such as health care, which averages $380 per compromised record.
- Malicious or criminal attacks cause the majority of data breaches and are the costliest.
- Companies with effective incident response teams and plans in place can minimize the costs, since the time to identify and then contain the breach directly relates to the cost.
The fact is that malicious actors and data breaches are not going anywhere and neither are their costs. Organizations should audit their security solutions and protocols regularly while weighing the price to replace outdated security measures against future expenses, direct and indirect, that can result from a data breach. Until organizations do this and decide to make security efforts a priority the possibility of becoming the next big headline will always loom.