Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The financial effects of a data breach can range from losses due to business disruption and data exposure to regulatory fines, brand impacts and legal costs. This piece highlights the differences between security incidents and breaches and provides a process for determining breach costs specific to your organization.
Before defining breach types and quantifying actual costs, it’s important to first understand the difference between an incident and a breach so the terms are not conflated. Several reputable sources use slightly different definitions, but it’s helpful to use the definitions within Verizon’s Data Breach Investigations Report (DBIR):
Most data breaches (more than 80%, according to Verizon’s DBIR) stem from malicious external actors infiltrating an organization to gain access. Typical incidents in this category that lead to breaches include:
Beyond external threat actors, insider attacks also must be considered. Verizon’s DBIR finds nearly a fifth of data breaches are due to insiders.
Human error is a broad topic because it is involved in the vast majority of incidents and breaches. In fact, Verizon’s DBIR finds nearly three-quarters (74%) of breaches involve the human element, including social engineering attacks, errors or misuse.
Such attacks range from low impact (e.g., regular employees clicking on a phishing link and having their credentials compromised) to high impact (e.g., high-value targets, such as engineers and administrators with privileged access to systems and data falling victim). Technical staff may also encounter tactics such as MFA bombing, which continually sends notifications designed to exhaust an IT person into accepting the notification, giving attackers the access, they seek. Additionally, breaches can be due to human error when misconfiguring systems or failing to patch vulnerabilities.
Attacker dwell time is the average time an unauthorized user has access to a system or environment. It is one of the statistics that catches the attention of the business and everyone who reads about an incident. We all know incidents will happen, but our focus should be on how quickly they are detected, acknowledged, responded to, contained and recovered from.
IBM’s Cost of a Data Breach Report 2023 found incidents that took longer than 200 days to find and resolve cost $102 million more, on average, compared to incidents where attacker dwell time was under 200 days. However, even fewer than 200 days is a staggering amount of time for an attacker to go undetected.
Security and business leadership have different priorities and are measured and held accountable for different things. When estimating the cost of an incident or breach, knowing which systems and data matter most to the business is crucial. If everything is critical, nothing is critical.
A good way to ensure everyone understands what truly matters is to have security and business leaders examine their business continuity and disaster recovery (BCDR) plans, which already prioritize the most critical systems and data. Until there is a consensus, however, it is tough to place a dollar amount on the cost of a negative impact.
To ensure all stakeholders remain in agreement on what is important to the business, ask the following questions and use the answers to ensure proper controls are put in place:
This is not an exhaustive list of questions, but each question has multiple layers. Systems have many dependencies, and if just one system in the chain is unavailable, the impact and cost to the business may be substantial. For example, ransomware can affect one or more layers in the business, and a compromised administrator account with access to critical systems can quickly lead to an incident with networkwide outages, inaccessible data and even data exfiltration, which has an additional cost.
Once you determine the importance, calculations can be run to understand the anticipated impact of an incident or breach.
READ: SEC Cyber Disclosure Requirements: CISO Summary Checklist
Incidents can lead to systems and data becoming unavailable, and the costs are similar to those calculated in business continuity planning for when critical infrastructure is unavailable due to an outage. Whether an outage is due to loss of power, severed network cables or a malicious data breach, it has a financial impact on the business.
Cybersecurity teams should track how quickly incidents are resolved, as well as the cost associated with recovering from them. As teams get better, they should start to see the cost associated with incidents decline.
Breaches are often calculated with the cost per record as a guide. However, costs might include the loss of intellectual property and other data meaningful to the business. In IBM’s report, it calculates the cost per record at $165 and finds the average cost of a breach globally per company is $4.45 million—a 15% increase over three years.
Data breach and ransomware calculators like this one can help you arrive at numbers that can be used in planning and prioritization so you can direct budget toward people, processes and technology that may help reduce the likelihood of an incident or breach.
Beyond hard dollar costs associated with data loss, other breach ramifications are more difficult to quantify. These tend to add up long after the operation is back to normal. Examples include:
The severity of the incident, as well as the cost and fallout from a breach, should be discussed to help make informed decisions about investments and preparation. No amount of money or preparation can guarantee an incident- or breach-free company, but reducing the impact is within reach.
There is no shortage of incident and breach headlines lately, and many are due to similar issues, such as phishing, ransomware, vulnerability exploits and misconfigurations. In addition, the future looks increasingly challenging with the growing popularity of AI and deepfakes. Organizations should calculate potential breach costs to determine the right controls and budget to earmark for mitigation. To ensure your breach cost calculations are reasonable and actionable:
Companies can make reasonable estimates to the cost incurred from incidents and breaches. In the end, it is a business decision, and some amount of risk is accepted. Companies should strike a balance between security risk and running a business, and, ideally, keep cost and impact low when negative incidents occur.
With the SEC’s new cyber rules, the materiality of cyber risk and incident disclosure is further emphasized. Be better prepared for the new Cyber rules with IANS SEC Cyber Disclosure Resource Center, which features videos, checklists and actionable guidance to help CISOs and security teams efficiently verify compliance.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.