A Data Breach May Be More Expensive Than You Think


Do you have an extra $3.86 million to spare? That’s how much the average data breach will cost you according to the 2018 Ponemon Cost of Data Breach Study, sponsored by IBM. That is not a loss most companies can afford to take.

Businesses run on risk. But when thinking about the cost of a data breach, you may wonder about the price for your company and what, exactly, is at stake.

Here’s one way to think about it: You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD).

And as in the case of the flu, it’s crucial to act quickly and seek a remedy for a speedy recovery. Since data breaches cost money, it’s best to take a cost-based approach to gain an accurate perspective of the problem at hand.

The Bigger the Breach, the Higher the Cost

How many records does your company store? In the 2018 study, the average breach will cost you $148 per lost or stolen record.

If your business did have a massive breach that grabs national headlines, what the study calls a “mega breach”  — an incident resulting in the loss of 1 million records or more — it could cost as much as $40 million to $350 million, respectively. Not surprising this figure increases as the number of breached records grows.

The Ponemon Institute study interviewed nearly 500 companies that had suffered a data breach, analyzing the many different costs including incident investigation, recovery, legal and regulatory activity, reputational damage and lost business through customer turnover.

And it’s that last cost – lost business – that is particularly significant in “mega breaches”. According to the study, one-third of the cost of “mega breaches” can be placed at the door of lost business.

But there is another, considerable threat bubbling below the surface.

Spotting a Breach

For a start, it takes a lot longer for smaller businesses to recognize a breach. SMBs may never know they’ve had a breach. And this is dangerous for everyone. Many people fail to recognize the damage incurred by small, unreported data breaches that take place all the time.

According to Verizon’s 2018 Data Breach Investigations Report, 58% of cybercrime victims in 2017 were small businesses. In another recent study, analysts found that 90% of credential exposures comprised under 5,000 accounts. Which means they were connected to small and medium-sized businesses (SMB).

Larger companies tend to have better detection tools and a major breach is more likely to be picked up by the cybersecurity community and notified to the media. One key consideration is how long it takes a business to identify and contain an incident.

The Ponemon Institute study reports that if there were a straight highway around the world, you could travel across it in 21 days, but the average time to identify a data breach? 196 days (or around 6.5 months). And the average time it takes to contain a breach is 69 days.

So, if a typical smaller scale data breach takes a total of 266 days (over 8.5 months) to detect and contain, how long does it take on average to handle a “mega breach”?

Again, the news is not good. According to the report, a “mega breach” takes 365 days on average to detect and contain. Yes, one year.

In short, the longer it takes to discover that you have been breached and fix the problem, the more it’s going to cost you. And the thing is, you have a lot to lose.

What Your Business Can Do

If you put ‘data breach’ in this box marked ‘scary’ and ignore it . . . that is a route to failure.

Clearly, more needs to be done to stop data breaches happening the first place and reduce the chances of a successful attack. Ultimately, your business doesn’t want to suffer a data breach. Data breaches are costly and could severely impact your company’s ability to continue to do business long-term if customers are lost.

The good news: if you have an incident response plan, you’ll save more than $340,000 per breach on average.

Small and midsize businesses need to take measures to protect themselves from cybercrime by implementing a cybersecurity strategy.

Through the support of the SyberSafe simple DIY solution, which follows the NIST Cybersecurity Framework, you receive guidance and tools on how to:

  1. Identify Risks and Vulnerabilities
  2. Implement a Protection Plan
  3. Create a Breach/Incident Response Program
  4. Train Employees

Learn more about how data compliance can mitigate the risks of a data breach.

As you explore a strategy to protect your business, get started with a free Risk Assessment to identify your business vulnerabilities.