How Much Can a Data Breach Cost Your Business?Business Advice & Research
The cost of data breaches is rising rapidly, increasing 10% year-over-year according to the 2021 CyberSecurity Ventures report. The global cost of cybercrime is also spiking and could reach $10.5 trillion per year by 2025. To put the rapidly rising cost of cyberthreats in perspective, the annual cost was about $3 trillion in 2015.
Determining exactly how much a potential data breach could cost your business may be difficult, as every business and industry has unique exposures and risk factors. However, businesses can educate themselves regarding the factors that affect the cost of data breaches most and how these numbers change based on the industry and size of your business.
First, let’s define what type of cyber attacks is considered a data breach.
What Constitutes a Data Breach?
Every security incident in which an entity gains access to another entity’s information without authorization counts as a data breach. Both internal and external actors can be responsible for a data breach and the breaches themselves don’t even have to be intentional in nature. If, for example, a user accidentally sends protected data to an incorrect email address, they have committed an accidental data breach. The same goes for an employee accessing confidential client or company data they are not authorized to view, regardless of whether they have done so intentionally or not.
According to Verizon’s 2018 Data Breach Investigation Report, as many as 17% of all data breaches are unintentional. Still, the majority of breaches are both deliberate and financially motivated. Either way, they hurt both businesses and consumers in various ways.
Based on the type of breach, data exposures can fit within the following categories:
- Confidentiality Breach: When an unauthorized inside or outside agent gains access to confidential data by accident. This frequently happens with data such as patient records.
- Availability Breach: When confidential data is either lost or destroyed following a cyber attack. This happens with ransomware, for example, when cybercriminals lock or encrypt certain blocks of data.
- Integrity Breach: When an inside or outside actor alters confidential data on purpose or accidentally. It takes businesses a long time to notice this type of breach, as no data goes missing.
Depending on the situation, either one of these types of breaches can occur, individually or all at once. For clarity, confidential data can include information on customers, employees, or a business.
Big Risks for Small Businesses Report
Is the Current Approach to Business Insurance a Match for Today’s Modern Risks?
Spoiler: It’s not.
Confidential data on individuals include personally identifiable information (PII); anything from credit card and social security numbers to personal health data. Confidential business information, on the other hand, usually has to do with intellectual property, such as trade secrets, proprietary source code, or data about lawsuits.
Notification Laws and Consumer Protection
Businesses all over the world need to abide by local data breach notification laws. These laws regulate timing requirements for informing the affected clients and the authorities. In the U.S., for example, the deadline for notifying the affected individuals differs from state to state. The 2019 Data Breach Prevention and Compensation Act was created to uphold preventative measures. An Office of Cybersecurity in the Department of Commerce was founded as a part of the Act at the Federal Commission, with the sole purpose of supervising data security.
In the European Union, the 2018 General Data Protection Regulation (GDPR) mandates a strict, 72-hour notification rule. GDPR is important for U.S. companies as well since it applies to both EU countries and non-EU countries whose products and services are sold on the EU market.
Data breach notification laws and regulations affect the cost of a data breach a great deal. For example, in Alaska, agencies are liable for civil penalties of $500 per affected resident. The total possible civil penalty amounts to a staggering $50,000.
Year-Over-Year Global Cost of a Data Breach
According to the Ponemon Institute’s Cost of a Data Breach Report, the average cost of worldwide data breaches in 2020 amounted to $3.86 million. The figure in 2020 was only slightly lower compared to 2019 when it hit $3.92 million. The same report found that the average cost of a data breach in 2020 amounted to $8.64 million. Contrary to worldwide trends in 2020, the U.S. saw a 5.49 increase in data breaches compared to 2019.
The joint research performed by IBM and the Ponemon Institute blamed the high costs of data breaches on two main factors: the absence or underrepresentation of security automation and incident response protocols in businesses and organizations. While the U.S. recorded the costliest data breach incidents in the world, the Middle East came in second with an average annual cost of $6.52 million.
According to IBM’s 2021 report, the average global cost of a data breach has reached over $4 million. That’s a 10% increase compared to 2019 due to “drastic operational shifts” caused by the COVID-19 pandemic, namely, the shift towards remote work and the cybersecurity risks associated with this work model.
The Costliest Data Breaches by Industry
If your business is a part of the healthcare, pharmaceutical, energy, or financial industry, you need to be extra cautious. These industries typically experience the highest costs associated with data exposure. The above-mentioned IBM and Ponemon report found a 10.5% increase in the total cost of a data breach in the healthcare industry.
Similarly, the retail industry experienced a 9.2% rise compared to 2019. The energy industry suffered a staggering 14.1% increase. Accompanying these severe financial losses is, often, reputational damage, which can be just as costly.
The Costliest Types of Breaches
As previously mentioned, the type of data that is breached holds some weight when determining the costs. Organizations have a wide variety of data to protect, ranging from credit card information to details from a person’s private life.
The above-mentioned 2020 IBM report broke down the breached data by type, with customer PII accounting for 80% of breaches and an average cost of $180 per record.
PII refers to personal data such as phone numbers and social media accounts. Intellectual property (32%), anonymized customer data (24%), and other customer data (23%) followed. The last recorded category included employee PII and accounted for 21% of breached data. The report also discovered an important distinction between unintentionally and intentionally compromised data, namely that if a data breach resulted from a cyber attack, the average cost per record was around 16.6% higher.
According to IBM’s 2021 report, global digital disruption is behind the record-high data breach costs. Namely, the safety measures protecting people’s health and lives from the pandemic resulted in a speedy, mass digital disruption.
According to IBM, as many as 60% of surveyed organizations were forced to move their operations to the cloud. While this change was likely inevitable, its breakneck speed ended up ramping up cyber attack costs. Organizations had a choice between moving most of their operations to a remote/online setting or going out of business. The task of setting up appropriate safety protocols and security controls to keep up with this change was nearly impossible.
In addition to having to handle a higher volume of data breaches, businesses also need more time on average to notice and confirm a breach. Worst of all, it can take businesses months to diagnose and contain a data breach, which is one of the main reasons why third-party lawsuits related to data breaches are so plentiful.
Reducing The Cost of a Data Breach
To prevent incidental unauthorized access to confidential data, consider limiting access to different data sets within your company. Introduce regular software updates, as legacy software is more susceptible to cyber attacks. Also, make difficult-to-decipher passwords mandatory for all employees. Finally, invest as much time and money as you can spare in employee cybersecurity awareness training. This will help you prevent social engineering attacks such as phishing.
Working on faster response times when it comes to cyber exposures is also important. A working post-breach protocol will help you keep your cool following a cybersecurity incident and minimize the damages. Regular data security reviews will also help you identify potential exposures quickly and efficiently. The IBM report cites savings of nearly 30% in cases where a data breach was contained within 200 days or less.
However, no contingency plan or prevention method can be 100% effective. Given the enormous potential cost of a data breach, most businesses should consider investing in a cyber insurance policy with a data breach inclusion. The right cyber insurance policy will allow you to transfer all data breach-related risks and costs to your insurer in return for a monthly fee or premium. A solid policy will provide two-sided coverage:
- First-Party Coverage: Your cyber insurance policy will cover any damage caused to your business and the cost of recovery from a security incident.
- Third-Party Coverage: The policy will provide defense costs and settlements if you’re held liable by your customers, partners, or other parties that have had their information leaked from your networks.
If you’d like to gain a deeper understanding of what coverage options are available to you, or have any insurance-related questions, feel free to reach out to one of our expert brokers at any time.
Practice good work-from-home cybersecurity hygiene to keep yourself, your family, and your employees safe.