The financial effects of a data breach can range from losses due to business disruption and data exposure to regulatory fines, brand impacts and legal costs. This piece highlights the differences between security incidents and breaches and provides a process for determining breach costs specific to your organization.
Security Incident vs. Breach: What are the differences?
Before defining breach types and quantifying actual costs, it’s important to first understand the difference between an incident and a breach so the terms are not conflated. Several reputable sources use slightly different definitions, but it’s helpful to use the definitions within Verizon’s Data Breach Investigations Report (DBIR):
- Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. (Note: An incident, depending on scope and severity, may not result in a breach.)
- Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. A DDoS attack, for instance, is most often an incident rather than a breach, because no data is exfiltrated. However, that doesn’t make it any less serious.
Common Security Breach Types
External Attacks
Most data breaches (more than 80%, according to Verizon’s DBIR) stem from malicious external actors infiltrating an organization to gain access. Typical incidents in this category that lead to breaches include:
- Vulnerability exploits
- Phishing (social engineering)
- Credential theft
- Malware infection
- Ransomware
- Third parties (where attackers compromise a supplier or partner of target organization)
- Insider Attacks
Beyond external threat actors, insider attacks also must be considered. Verizon’s DBIR finds nearly a fifth of data breaches are due to insiders.
Human Error
Human error is a broad topic because it is involved in the vast majority of incidents and breaches. In fact, Verizon’s DBIR finds nearly three-quarters (74%) of breaches involve the human element, including social engineering attacks, errors or misuse.
Such attacks range from low impact (e.g., regular employees clicking on a phishing link and having their credentials compromised) to high impact (e.g., high-value targets, such as engineers and administrators with privileged access to systems and data falling victim). Technical staff may also encounter tactics such as MFA bombing, which continually sends notifications designed to exhaust an IT person into accepting the notification, giving attackers the access, they seek. Additionally, breaches can be due to human error when misconfiguring systems or failing to patch vulnerabilities.
Longer Dwell Times, Higher Breach Losses
Attacker dwell time is the average time an unauthorized user has access to a system or environment. It is one of the statistics that catches the attention of the business and everyone who reads about an incident. We all know incidents will happen, but our focus should be on how quickly they are detected, acknowledged, responded to, contained and recovered from.
IBM’s Cost of a Data Breach Report 2023 found incidents that took longer than 200 days to find and resolve cost $102 million more, on average, compared to incidents where attacker dwell time was under 200 days. However, even fewer than 200 days is a staggering amount of time for an attacker to go undetected.
Calculating the Cost: Start with Business Criticality
Security and business leadership have different priorities and are measured and held accountable for different things. When estimating the cost of an incident or breach, knowing which systems and data matter most to the business is crucial. If everything is critical, nothing is critical.
A good way to ensure everyone understands what truly matters is to have security and business leaders examine their business continuity and disaster recovery (BCDR) plans, which already prioritize the most critical systems and data. Until there is a consensus, however, it is tough to place a dollar amount on the cost of a negative impact.
Key Security Questions for Incidents and Breaches
To ensure all stakeholders remain in agreement on what is important to the business, ask the following questions and use the answers to ensure proper controls are put in place:
- Which system(s) are required for the business to generate revenue?
- What data does the company depend on?
- Which third parties rely on the company, and which does the company rely on?
- Which systems are needed to operate the business (e.g., computers, servers, OT, physical facilities, power, communications and so on)?
This is not an exhaustive list of questions, but each question has multiple layers. Systems have many dependencies, and if just one system in the chain is unavailable, the impact and cost to the business may be substantial. For example, ransomware can affect one or more layers in the business, and a compromised administrator account with access to critical systems can quickly lead to an incident with networkwide outages, inaccessible data and even data exfiltration, which has an additional cost.
Once you determine the importance, calculations can be run to understand the anticipated impact of an incident or breach.
READ: SEC Cyber Disclosure Requirements: CISO Summary Checklist
Learn how to Track Security Incidents and Costs
Incidents can lead to systems and data becoming unavailable, and the costs are similar to those calculated in business continuity planning for when critical infrastructure is unavailable due to an outage. Whether an outage is due to loss of power, severed network cables or a malicious data breach, it has a financial impact on the business.
Cybersecurity teams should track how quickly incidents are resolved, as well as the cost associated with recovering from them. As teams get better, they should start to see the cost associated with incidents decline.
Benchmark Security Industry Break Metrics
Breaches are often calculated with the cost per record as a guide. However, costs might include the loss of intellectual property and other data meaningful to the business. In IBM’s report, it calculates the cost per record at $165 and finds the average cost of a breach globally per company is $4.45 million—a 15% increase over three years.
Data breach and ransomware calculators like this one can help you arrive at numbers that can be used in planning and prioritization so you can direct budget toward people, processes and technology that may help reduce the likelihood of an incident or breach.
Factor in Additional Security Breach Costs
Beyond hard dollar costs associated with data loss, other breach ramifications are more difficult to quantify. These tend to add up long after the operation is back to normal. Examples include:
- Regulatory fines
- Brand and reputation damage
- Lawsuits
- Intellectual property loss
- Increase in insurance premium
- Quarterly results/stock price
- Paid ransom
The severity of the incident, as well as the cost and fallout from a breach, should be discussed to help make informed decisions about investments and preparation. No amount of money or preparation can guarantee an incident- or breach-free company, but reducing the impact is within reach.
Tips to Calculate Security Incident/Breach Costs
There is no shortage of incident and breach headlines lately, and many are due to similar issues, such as phishing, ransomware, vulnerability exploits and misconfigurations. In addition, the future looks increasingly challenging with the growing popularity of AI and deepfakes. Organizations should calculate potential breach costs to determine the right controls and budget to earmark for mitigation. To ensure your breach cost calculations are reasonable and actionable:
- Consider industry numbers: The reports from Verizon and IBM mentioned are good places to start.
- Understand the common types of breaches: External actors account for more than 80% of breaches, but insiders account for the rest, and the human element continues to contribute to both and must be considered.
- Understand the range of impacts from a single breach: Many times, it’s not the amount of credentials compromised but the type of credential (tech admin or privileged access) that leads to the biggest breaches and the biggest costs. Be sure to calculate costs for a range of scenarios.
- Work with the business to determine criticality and optimal defenses: The business knows best when it comes to what is critical and the financial costs of loss. Consider using BCDR plans to highlight critical systems/processes and get everyone on the same page.
- Factor in residual costs: Most breaches include costs well beyond the loss of data. Be sure to calculate ongoing costs, including legal, brand, regulatory fines, etc.
Companies can make reasonable estimates to the cost incurred from incidents and breaches. In the end, it is a business decision, and some amount of risk is accepted. Companies should strike a balance between security risk and running a business, and, ideally, keep cost and impact low when negative incidents occur.
Find IANS SEC Cyber Disclosure Resources
With the SEC’s new cyber rules, the materiality of cyber risk and incident disclosure is further emphasized. Be better prepared for the new Cyber rules with IANS SEC Cyber Disclosure Resource Center, which features videos, checklists and actionable guidance to help CISOs and security teams efficiently verify compliance.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.