Calculating the cost of a data breach
Data breaches eat away at customer trust, brand image, and the overall reputation of a company. By November 2019, 7.9 billion records had been exposed tied to various cybersecurity incidents.
Among the top sectors affected were healthcare, retail, and public administration. The average cost of a data breach has come out to be $3.92 million on a global scale. With healthcare amounting for $6.45 million.
When calculating the cost of a data security incident, it’s important to take into account the long-haul costs of getting the systems up and running and upgrading the security posture to prevent similar incidents.
Let’s explore what all factors into the cost of a data breach and how to come down to a number.
Four cost components of a data breach
The cost of a cybersecurity event can be calculated by assessing four components:
Detection and escalation - This cost includes the activities to allow a company to identify and report a breach to the appropriate personnel within a stipulated time. For instance, forensic investigation, assessment and auditing, crisis team setup and management, and communications to executives and board managers.
Notification - This component talks about the activities of notifying customers who have their data compromised in the breach. These activities form a part of the regulatory requirements and communications. For instance, email letters, telephone calls, general notices, and engaging outside experts.
Response - Post data breach responses mean activities and processes to help individuals or companies affected by the breach communicate with the company. This component also includes costs associated with redress and reparation activities with regulators and data subjects. For instance, helpdesk and inbound communication activities, identity protection services, legal expenditures, product discounts, and regulatory interventions such as fines.
Lost customers - Lost business is one of the top contributors to data breach costs. The loss of customer trust has financial implications for businesses. Cost consists of revenue losses from system downtimes, cost of lose customers and new customer acquisition, and reputation and goodwill losses.
These process related activities drive all expenditures associated with a data breach. Let’s look at other factors that affect the cost of a data security incident.
Factors that impact the cost
Several factors can come together to positively or negatively impact the cost of a data breach. Let’s look at a few here:
Incident response effectiveness and response times - An organization’s ability to effectively respond to a cyber event is improved with an Incident Response team with an IR plan. Forming an IR team can reduce the cost of a data breach by as much as $360,000. Intensively testing the IR plan further takes the cost down by $320,000.
Abnormal customer turnover - With lost business as the biggest cost of a data breach, the cost of a breach is directly proportional to the number of customers lost. Companies especially in the healthcare, financial services, and pharmaceutical industries, have a hard time retaining clients following a data breach.
DevSecOps - Integrating security best practices right into the IT operations can mitigate the cost of a breach by $280,000. DevSecOps is therefore seen as a critical security component these days with organizations training their employees on the approach.
Employee training - Having a team of employees who know how to react to a data breach and the first-aid kit after a data breach can prove to be a company’s biggest asset in the face of a breach, reducing the cost by $270,000.
Artificial intelligence and security analytics - Using an AI-capable platform to detect and respond to such threats can reduce the cost of a breach by $230,000. Followed by security analytics which reduces the expenditure further by $200,000.
Contrary to those, there are several cost amplifiers such as compliance failures, third-party breach, cloud migration, system complexity, extensive use of mobile platforms or IoT devices. These factors combine to increase the cost of a cybersecurity event.
A methodology to calculate the cost of an exploit
Now that we know what factors play a role in impacting the cost of a breach, let’s look at a framework to calculate the actual cost of an exploit.
For an attacker, the benefit of the exploit should exceed the cost of the exploit for them to find the attack lucrative and actually proceed with it.
Keep the following factors in mind:
- Elapsed time - Expertise - Knowledge of the TOE (Target of Evaluation) - Access to the TOE - Equipment - Access to open samples Now, we assess the attack from two stages- Identification and Exploitation. It is harder to find and exploit a vulnerability for the first time but easier to utilize the exploit later.
For instance, in some cases where the benefit is large, an attacker could spend time and effort learning specialized tools to develop an exploit. After an exploit is published, it can be replicated by other adversaries with low skillsets.
For both identification and exploitation, indicate the time and knowledge required to achieve a successful attack. The number of product samples applies to hardware devices. Indicate a ‘-’ against it if you’re doing the exercise for a software product.
Give value to each cell and assess the feasibility of an attack for a hacker. This will help you develop and embed security practices into your IT infrastructure.
If this looks too time-consuming, talk to us about a comprehensive security analysis for you. We can help you better your security posture with advanced security testing and development tools and tactics.