Data breaches, and being compromised, is one of, if not the single biggest issue facing businesses and organizations of all sizes today. The monetary impacts of a breach have grown from a mere nuisance to potentially company-ending.
Unfortunately, along with the costs, the likelihood of being victim to a breach also keeps increasing. As of 2022, roughly 27 percent of businesses will be victim of a cyber attack within the next year. Meanwhile, of breached businesses, 83% of businesses which have been breached once, have been breached again.
As a business owner, it's important to understand the risks and costs associated with data breaches as this often helps paint the costs and efforts to increase security in a new light.
The Average Cost of a Data Breach
First, lets get the suspense out of the way. According to IBM, which has been compiling yearly reports on data breaches for the last 15 years, the average cost of a data breach as of 2022 is a whopping 4.35 million dollars. It gets better though: that number is the global average. In the United States, the average cost is an astonishing 9.44 million dollars!
Now it should be noted this number covers breaches across all company types and sizes. But even accounting for smaller companies the price tag is still high. Companies under 500 employees saw and average cost of nearly 3 million dollars in 2021. That's a sizable dent in any budget, especially one for a small business.
Healthcare is the Biggest Target
It may come as little surprise, but the healthcare and financial sectors carry the biggest price tags when it comes to data breaches. The average healthcare bill comes out to a staggering 10 million per breach average (no wonder healthcare costs are so high!) while the financial industry is a distant second at nearly 6 million.
Most other industries tend to hover around the 3-4 million mark including things like Energy, Retail, Manufacturing/Industrial, Transportation and Entertainment.
So where does all this money go??
By now you're probably wondering "just who is getting all this money in these costs?". It's a great question and the answer is: these numbers are cumulative from several sources or avenues including:
- Detection and Escalation
- This cost accounts for things like hiring forensic and investigation teams to determine what exactly happened, how the attackers were successful and determining how to prevent it from happening again. This has become a very expensive part as of late, being almost a third of the total cost of a breach. Unfortunately, you can't just "opt out" of this either as most insurance companies require some form of investigation into a breach before they pay out on a cyber insurance policy.
- Incident Response and Recovery
- These costs center primarily around getting "back to business" and whatever things need to be done to bring the organization back to an operating state. This also includes things like legal expenditures involved with the breach, regulatory fines, credit monitoring or identity protection services if you're in retail. All things which can add up quick.
- These costs tend to be the smallest but still not something to overlook. They center mostly around notification of authorities, regulators, customers and any other sort of "PR" work surrounding the breach. A lot of these costs are figured more as employee time spent making this contact instead of doing other, more productive work. These costs usually range in the tens to low hundreds of thousands when all is set and done.
- Lost Business
- This one is the heavy hitter. The loss of business can be a difficult metric to really nail down but most estimates put this number at roughly 50% of the total cost of a breach. This includes downtime and loss of revenue directly related to said breach as well as lost reputation and customer goodwill, and potentially lost future business.
Tally those four main groups together, plus any other associated costs (we didn't even touch on situations where you may need to pay a ransom). And costs can easily balloon into the high 6 and even 7 figure range.
Serious numbers serious business owners need to take seriously
By now it should be clear that security is something any organization worth their salt needs to be taking seriously. It's no longer a "we'll do it if we find some money in the budget next year" thing but rather a core piece of business like accounting or legal protections. And while it's impossible to 100% prevent a breach, there are things you can do to mitigate the financial impact of a breach, should one happen. Implementing things like zero-trust policies can help prevent breaches while having a solid, rehearsed Incident Response Plan can help shrink costs.
As I put it to many of my clients and customers: you'll either pay some now or you'll pay double later. Don't let the person paying double later be you.