Putting a price tag on a potential data breach can be a challenging task. There are many reports available calculating the average costs of breaches, but how much can these reports really tell us when it comes to providing meaningful figures, for an individual organisation?
With security incidents now a growing inevitability for any organisation, security professionals sometimes use these metrics to support decision making. They need to have an idea of what a potential breach could cost to assess how much to spend to prevent it from happening, and to help justify security spending to senior executives, or the Board.
However, relying on such metrics alone is a great mistake. The cost of a potential breach should never be calculated without also taking an individual organisation’s own circumstances into consideration. Clearly, these costs will be very different for a multinational financial institution than for a small community library. Conducting a risk assessment, which encompasses situations that are unique to each organisation will, in the end, help executives to make more informed decisions.
Calculating the real cost of a data breach
As an analogy, think of a report on the global average property loss caused by individual incidents of burglary while trying to decide whether to invest in a home alarm system and, if so, how much to spend on it. There is probably a figure that exists somewhere but it may give us no information about crime rates in our neighbourhood. Nor would it take into account the expensive set of jewellery you’ve just inherited. Then there are global differences to consider: the figure is probably significantly lower in Bangladesh than in suburban Los Angeles.
Treating them as global, uniform numbers results in figures that look interesting but are basically meaningless. The reality is that these metrics might be of interest to academia but generally are not very useful for day-to-day security decisions.
Much more useful than a global average would be a tool that helps security managers and business decision makers arrive at a common understanding of what a breach could mean to their organisation. To this end, security teams should conduct their own risk assessment to determine how much a breach could cost them, in their field, considering their customers and the data they handle. It is worth noting, also, that estimating the impact is only half of the risk assessment homework; the other half is assessing the likelihood of a breach actually happening.
Key areas to help evaluate this cost are:
After a breach, it is likely that an organisation will need to rebuild at least some of the affected IT systems and verify the integrity of records. An assessment should calculate the related costs of this, including hardware rental, labour, time and materials, as well as revenue lost if the compromised system must be brought offline.
Communicating the cost of a data breach
It’s important to consider the ramifications of communicating the breach to customers and how this will play out in terms of manpower and practical resources needed to field incoming enquiries. Consider the costs involved in dealing with additional calls to tech support; could the organisation handle every tenth – or even fifth – customer calling? It could mean temporarily increasing the number of CSRs, all of which will have a knock on effect on HR and overtime costs.
Costs should take into consideration if an organisation is legally required to notify its customers and how this would be done; is it by e-mail, phone or registered mail and what would that cost in time and labour? If the breach results in financial damage to customers, an organisation could be liable to compensate them.
From a legal perspective consider also issues such as laws mandating any personal liability, or the percentage of customers likely to sue in the event of a breach and how much that would cost in legal costs and damages paid.
Compliance related costs
Potential fines from industry regulators for breaches are becoming more severe. A checklist should consider the compliance related costs such as fines and what this amount could be, in a worst case scenario. With the introduction of the GDPR (General Data Protection Regulations) in 2018, the fines could be up to 4% of an organisation’s global annual turnover. Allow, also, for any contractual penalties that need to be paid in the event of a breach, for example, to a business partner, customers, vendor, supplier, or a credit card company.
More difficult to predict are factors such as the impact on the short term share price of the organisation: what financial effect does a sudden drop in share price have; what if the breach happens just as management is in the middle of talks about a merger or acquisition? Appearances, here, are often deceiving. Based on how it is communicated, a data breach can appear to have marginal and temporary consequences if judged only by the share price of the company.
However, this is a distorted view of reality, as it fails to take into account all the other aspects of what a data breach means. In some cases, an organisation emerges stronger after a breach than before, but that does not mean that it wasn’t a costly lesson.
Security officers and business managers are expected to exercise due diligence in their decision making and, whilst it is more difficult and time-consuming to conduct a detailed analysis, it is better than taking the shortcut and relying on average, global values. Better informed decisions tend to be better decisions. So, go ahead and use global figures as a benchmark, but take them with a grain of salt.
Sándor Bálint is security lead for applied data science, Balabit