Understanding the costs of a serious data breach

For many business leaders, IT security is a surprisingly complex subject. On the one hand, just about every decision-maker recognizes that no organization can afford to ignore this topic entirely. Cybercrime is becoming increasingly common every day, and hackers are no longer limiting their efforts to the most high-value targets, such as financial services providers. Instead, these cybercriminals are expanding their range of targets, focusing more on exploiting opportunities as they emerge, and that means that any organization can be a target.

At the same time, though, company leaders are often hesitant to invest significantly in data security programs and resources. No one wants to spend more money than necessary, and business decision-makers who have had no experience with data breaches will often conclude that the risks of such events occurring are not sufficient to justify the expense of a security awareness campaign and other cybersecurity initiatives.

In reality, organization decision-makers often severely underestimate not only the likelihood that their companies will be targeted by hackers, but also the costs of such incidents. Once these costs are understood, company leaders will be far more likely to make security awareness campaigns a priority.

Expensive incidents

These expenses were thrown into sharp relief in the Ponemon Institute’s 2014 Cost of Data Breach: Global Analysis report. This study found that the average breach last year resulted in costs totaling $3.5 million, up 15 percent from 2013. Naturally, some data breaches have much higher costs than others, and it is typically the larger firms that face the greatest expenses in the wake of large-scale cyberattacks. However, the Ponemon report also found that the average cost per compromised record was $145 in 2014, compared to $136 in 2013. The price was even greater among U.S. firms, with an average cost of $201 per exposed record.

This means that while large enterprises may see the larger total costs associated with breaches, smaller organizations will still face sizable expenses if they fall victim to a cyberattack or inadvertently expose sensitive information. And the more widespread the breach, the larger the costs.

What’s more, these costs come in a variety of different areas. An IBM study found that among U.S. cyberattacks, 29 percent of the total data breach costs took the form of reputation and brand damage, while 21 percent came from lost productivity. Lost revenue accounted for 19 percent of the damage, followed by the expenses associated with forensics (12 percent), technical support (10 percent) and compliance measures (8 percent).

Prevention is the answer

As these numbers indicate, data breach costs aren’t simply a matter of fines due to noncompliance or increased marketing efforts to overcome a damaged reputation. Instead, the entire organization is inevitably affected, and to a serious degree. There’s no real way to isolate the negative impact that a data breach will have.

Given all of this, it should be clear to see that preventative measures are extremely important for organizations of all kinds. It’s not just a question of responsibility – although that is important – but also simply an issue of dollars and cents. Considering the costs associated with data breaches, cybersecurity measures are clearly a worthwhile investment for organizations of all kinds.

Of course, for these investments to pay off, it’s imperative for firms to choose the right type of preventative measures. That’s what makes security awareness training so powerful. These campaigns can improve cybersecurity across the board and on an ongoing basis. By improving employees’ understanding of cyberthreats, companies can significantly reduce the likelihood that they’ll have to experience the costs associated with data breaches first hand.