Preventive approaches to cybersecurity were taking the lead for decades. But as cyber attacks continue growing in both volume and sophistication and threat actors proliferate, complete preventive capability is now impossible to achieve. Breaches are inevitable, no matter how robust your preventive capabilities are. Prevention alone is futile unless it is tied to a robust detection and response capability.
While data breaches are a fact of life, they always come with a hefty price tag. The cost can be steep and challenging to recover from and depends on a variety of factors including the level of compromise and how circumstances develop following the initial attack.
The recent case of a cyberattack with a high price tag is US health-care company Anthem, which settled a series of lawsuits stemming from a 2015 breach for a whopping $115 million. Another highly publicized case was of US retailer Target, which was forced to make an $18.5 million settlement with 47 states and the District of Columbia this year following a massive breach in 2013 .
No company is immune, no matter how advanced prevention capabilities are. Sadly, there is no lack of examples of large corporations that have payed dearly for data breaches in the recent years. Here are just some of the most notorious cases: The Home Depot ($56 million), Ashley Maddison ($11.2 million), TalkTalk (£60 million) Sony Pictures Entertainment ($100 million), Heartland Payment Systems ($140 million), TJ Maxx ($162 million), Sony PlayStation ($171 million), Hannaford Bros (252 million), Epsilon ($4 Billion).
So if breaches are inevitable, how do we minimize the financial risks?
The Various Costs of Data Breaches
Full costs of a data breach are difficult to estimate. While there is an immediate, one-off cost to data breaches that is more straightforward, there is a “slow burn effect” that is difficult to gauge and is often underestimated. Loss of customers, fall in stock prices, lawsuit settlements years down the line, are all consequences of a breach that can negatively impact an organization for years to come.
Initial, short-term costs, both internal and external, immediately following the breach are comprised of:
- Fixing the weaknesses and patching vulnerabilities in the security system where the breach originated
- Recovering lost data
- Enhancing the existing security measures and tools
- Investing in employees’ cybersecurity training
- Potentially outsourcing external experts to help with investigation, remediation and implementation of new procedures.
- Notifying customers and compensations
- Paying ransoms
- Public relations expenses to protect or recover company/brand reputation.
Despite the fact that the above mentioned costs can reach millions of dollars, even more worrisome are the long term effects which can leave lasting damage on organization’s profitability, such as a fall in share price, loss of customers, prolonged lawsuit settlement costs, lack of trust; and last, but not least, there is always the concern that companies may not even know whether the threat has been fully mitigated.
Factors that Impact the Cost of Data Breaches
Type of data stolen
How much data was exposed? What was the nature of the exposed data - were only usernames and passwords compromised or was highly sensitive data like credit card details, additional personal information or sensitive medical records also breached?
Type of attack
What was the primary source of the breach? Was the breach caused by malware, unauthorized access, data theft or improper data handling? What was the attack vector, and was the vulnerability successfully patched?
Some industries, especially highly regulated ones, such as healthcare and finance, are more adversely affected when personal information is breached. For the past seven years, healthcare has been the most expensive industry for data breaches, costing organizations $380 per record, which is more than 2.5 times the global average cost, which stands at $141 per record.
Some cyber attacks are conducted directly against the company while others are carried out via third parties. The 2017 Ponemon Cost of Data Breach Study found that data breaches resulting from third-party involvement led to an increase in the cost of a data breach, increasing the cost $17 per record, so evaluation of security posture of all vendors and partners should be a must for every organization.
The global average cost per data breach is $3.62 million, which is a 10% drop from the $4 million average in 2016, mostly due to the introduction of preventive security elements, effective incident response and advance testing. Unfortunately, this is not true for the United States where the cost of a data breach rose by 5% in 2016, with the average organizational cost-per-breach reaching $7.35 million.
The amount of time that it takes to respond and contain an incident is crucial.
Ponemon Institute estimates that the average number of days that a threat stayed latent before discovery and eradication, was 98 days for financial services firms, and 197 days for retailers. Attackers are not only successfully getting past the defences, but they manage to stay long enough to cause irreparable damage.
There is a clear incentive to improve detection and response capabilities. Evidence shows, that short dwell times can mitigate damage and effectively reduce remediation costs. 2016 Cost of Data Breach report (undertaken with IBM Security) demonstrates a link between the cost and the dwell time. Ponemon found that above a key 100-day marker, data breach costs increased by about 72%. By resolving issues quickly, a company keeps things out of the press, and by cutting off access early, firms can significantly limit the number of records compromised and amount of sensitive data stolen.
Cutting Data Breach Costs
The solution to cutting the costs of data breaches? Timely and effective incident response is one of the keys to significantly reducing the cost. Improving incident response capabilities is a long-term investment: starting with allocation of budgets to incident response solutions in combination with security teams with clear and detailed IR plans and procedures in place.
Early and efficient incident response have proven to mitigate the total cost of a breach. The effectiveness of the approach is confirmed by the fact that security teams are starting to rebalance their security dollars to invest more heavily in incident detection and response. Gartner states that security teams spend about 10% of their budget today on security products focused on detecting attackers within their network and they see that changing to 75% of their budget by the year 2020.
You should also not forget the importance of having a comprehensive data breach communications plan in place, as the way an organization publicly handles an incident can prove critical in terms of incurred costs.
Using Secdo’s advanced incident response solution, can help businesses significantly reduce the costs of data breaches by shortening incident response time to mere minutes or even seconds and giving your security team full thread-level visibility into everything that has happened on your endpoints, so you can easily investigate incidents back to the root cause and damage assessment, and surgically respond to any threat remotely. Request a demo today.