Every year, thousands of high-profile attacks are launched against enterprises of all sizes in the United States. Counting those driven by automated malware, there are millions of attempted network breaches each and every year.
Over the last decade, the frequency, size, quantity, and acceleration of attacks have continued to grow far beyond what was imaginable only a short time ago. Hackers now have countless targets to choose from: Credit card data, corporate credentials, and Social Security information, among others.
Each enterprise has its own collection of sensitive data and assets that may come under attack at any time. While there is no way to precisely calculate the losses a given organization may suffer, there are three broad categories:
• Direct Costs
• Revenue Loss
• Business Disruption
• Direct Costs of a Data Breach
Direct Costs of a Data Breach
It takes an average of more than 200 days for organizations to uncover a data breach once the earliest evidence is noticed. Outside actors notify organizations of a breach more than two thirds of the time. It may cost millions to completely extract hackers – who may have had full data access for years – isolate affected systems, and protect sensitive information.
Consumers now expect most organizations that suffer a breach will offer credit monitoring to their affected users. Retail rates for these services range anywhere from $10 to $30 monthly for every customer. You may be paying such rates for years to come.
Class action lawsuits follow virtually every noteworthy data breach. These not only result in tens of millions in costs, but ensure additional overhead and complexity over multiple years. Legal fees, settlement amounts, and federal entanglements all prolong the pain.
From retail to healthcare, many organizations have complex compliance requirements. Even if you had achieved 100% compliance, you are typically required to pay fines after a breach. These can range anywhere from $50 to $90 per affected individual for companies responsible for financial data.
In-house costs of data security expertise are notoriously high. Tools, solutions, and service providers, can all be extraordinarily expensive. Compensating and retaining top security talent is particularly onerous and requires long-term commitment.
Insurance premiums skyrocket in the aftermath of many security incidents – if you even manage to retain your coverage. Premiums can rise across the board when insurers reassess the threat landscape. Only countervailing security investments can offset the increased risks.
Revenue Loss in a Data Breach
Brand Reputation Damage
No matter your industry, loss of consumer confidence makes a significant difference for years to come. A sharp drop in both revenue and customers can be expected in the wake of a publicized breach. Sometimes, the damage may linger for years and cast company culture in a poor light.
Loss of Investment Opportunities
Financial analysts take long-term reputation damage and negative publicity into account when making recommendations to investors. This can cause opportunities for capital investment to evaporate and may completely destroy early stage enterprises reliant on investment for growth.
Payment Card Suspension
Payment card processors have every right to withdraw their services from enterprises that have experienced a major lapse in security protocol. While this remains rare, it would be a death blow to many brands whose customers could not be expected to shoulder payment inconvenience.
Business Disruption After a Data Breach
Stock Price Declines
Historically, stock prices have rebounded in time even when breaches are perceived by the public as particularly egregious. However, with lower stock price comes an opportunity cost that cannot be recouped. A loss of $10 or more per share is not unknown and may be sustained for months.
CEOs and CIOs are at greatest risk when a data breach takes place. Boards and investors want to see someone accept blame, even in cases where little more could be done. Not only do some executives “fall on the sword,” but the org chart may expand to add more strategic IT roles.
A major breach tends to sideline the company strategy for a long time to come. Expected hiring and investments are put on hold. New products and services may be slowed. A company’s whole outlook could be impacted long-term in the most insidious ways.
Lessons Learned from Data Breach Victims
• A managed security services vendor is in the best position to help you evaluate the possible costs of a breach in your situation. Factors involved are complex, and internal analyses often don’t capture the full picture. You should multiply any existing estimates 2x to 3x.
• Proactive security management – avoiding the breach in the first place – is the best way to curb IT security costs. More enterprises are looking to managed security services for this reason: You can benefit from new capabilities almost immediately at a fraction of the in-house cost.
• It’s far too easy to overlook the importance of IT security commitments because security does not generate ROI in the traditional sense: It is an insurance policy against an inevitable, but unpredictable future. As a result, most U.S. firms are not investing sufficiently in security.
• Compliance requirements should be seen as a start, not the “end all, be all” of security. You can dramatically reduce your long-term exposure to data security risk when you implement a full risk assessment, preferably in cooperation with an American managed security services brand.
A complete risk assessment should include:
• Identification of gaps in personnel, policies, security procedures, and technology.
• Identification of solutions that can mitigate the exposed gaps in priority order.
• Clarification and implementation of the needed investments – in time and money.
• Third-party managed security services teams can rapidly deploy and manage new solutions, mitigating risk fast. They ensure ongoing regulatory compliance and dramatically reduce the likelihood of a disruptive attack by hackers.
After a breach, some in the public blame the hackers, while others point the finger at the firms victimized. The difference? The perception that you’ve taken every step possible to protect customers’ sensitive data.