Setting the Scene
It’s 4 AM. Somewhere on the other side of the world, your third-party development team is hard at work migrating your system to the cloud. It is difficult, fatiguing work but the team is meeting their deadlines and delivering within budget as planned. Suddenly, 25,000 customer records are breached. If you are like most companies, this incident will not be discovered that night, the morning after, or even in the weeks to come. It will take you more than six months to discover that anything has happened and an additional three to four months to contain the breach. Your world is embroiled in lawsuits, business disruption, and revenue loss including the loss of customers you never had. The irreparable damage to your brand’s image in a nightmarish corporate snafu will last for years to come. This is an unfortunate case for many that suffer data breaches. Incidents like this one grow more common, more costly, and more difficult to contain every year.
Costs of Breaches
You ask yourself, “Why is this happening?” Data breaches are caused by one of three possible causes: system glitches, human error, or malicious attacks. Malicious attacks are not only the most common cause of a data breach, but they are also the most costly. According to the Cost of Data Breach 2019 Report, the average data breach costs $3.92M whereas the average breach caused by a malicious attack costs $4.45M.
What makes a data breach so costly? The lifecycle of a data breach. Every day it takes to identify it, contain it, and reconcile it, the more expensive it can get. In 2018 the average lifecycle of a data breach was 266 days, and a year later, it rose to 279 days which is 4.9%. Breaches caused by malicious attacks are the most expensive because it can take 314 days to contain, which is an increase of 12.5% over the average breach lifecycle.
The faster a company can identify a data breach, the lower the overall cost. Incidents with a lifecycle of fewer than 200 days are on average $1.22M less costly than breaches with a lifecycle that is longer than 200 days. Breaches need to be identified fast and handled appropriately to mitigate costs as much as possible.
The Horror
The horror of a data breach is not over once it is contained. There are other lingering factors contributing to the losses accrued due to a breach that can last two or more years; this is known as the “Long Tail”.
Roughly one-third of data breach costs occur more than one year after the initial data breach incident. On average 67% of costs are seen within the first year due to the initial response and breach containment, 22% of costs are seen in the second year and 11% of costs are seen more than two years after the breach. The Long Tail is even more serious of an issue for companies in highly regulated environments such as the financial, healthcare, and energy sectors. These organizations saw averages of 53% of costs in the first year, 32% in the second year, and 16% in the third year. This is due in part to legal costs and regulatory fines associated with containing a breach in a highly regulated environment.
Lost business is the biggest contributor to the cost of a data breach and small businesses are the biggest losers in these situations. The average cost of lost business due to a breach is $1.42M or 36% of the total. In 2019, breaches caused an abnormal customer turnover of 3.9%. A smaller business between 500-1000 employees had an average breach cost of $2.65M or $3,533 per employee.
Larger organizations of 25,000 employees or more, average only $250 per employee. For smaller companies, the incident response (IR) team, and extensive testing of the IR plan all reduce the average total cost as much as $360,000 and $320,000 respectively. Organizations that employed both saved an average of $1.23M compared with organizations that neither formed an IR team or IR plan whose average data breach cost was $4.74M. Combining both saves companies $410,000 on average.
A DevSecOps approach that instills security testing and design in the development process saves $10.55 per compromised record. While system complexity increased costs by $10.96 per record, the average number of records lost during a breach was 25,575 records per breach. If a DevSecOps approach is used the average amount that a breach would be reduced to $269,816. Extensive use of encryption reduces the cost by $12.25 per record or $313,294. Combining all four cost mitigating factors reduces the overall cost of a breach by an average of $993,110. Over a quarter of the overall cost of a breach can be mitigated just by using these four steps.
A Once of Prevention …
As data grows and the world becomes increasingly digitized, breaches will become even more of a regular occurrence. From 2018 to 2019, the odds of a breach occurring in an organization went from 27.9% to 29.6%. This is up from the 22.6% likelihood in 2014, which is a 31% increase in odds over 5 years. Regardless of the steps taken to secure sensitive data, malicious actors will always find new and better ways to cause a system breach. The best way to protect yourself and your organization is to prepare for the incident before it happens. This must be done through a combination of organizational and technological methods to ensure the safety of your customer and employee information. Solutions are out there, but the question is, what are you going to do to protect your brand, your reputation, and your business?
Data breaches can be costly and confusing. Avoid hefty fines and headaches by reaching out to experts like Axis to take care of your data compliance. With over 19 years of experience, Axis will design a business process and execute an implementation that will ensure you avoid hefty fines.
