You’ve heard you need it. Daily headlines warn you to secure your data to protect your business, your employees and your customers. But how can you afford to pay for cyber security when you already have a tight budget and it may not add a dime to your revenue stream?
The answer is that the return on this investment is not measured in new income, but in the value of asset protection. To determine whether cyber security is a worthwhile investment for your company, you must understand what is the true cost of a data breach, and how much will you benefit from investing in measures to avoid those costs.
The cost of a data breach varies depending on many factors, including the root cause of the breach (such as a malicious attack or employee negligence), the time it takes to discover and remedy the breach, the industry involved, if there is extensive use of mobile platforms and whether an incident response team had been developed prior to the breach. Despite the many variables at play, both direct and indirect costs should be tallied. Direct costs include forensic experts to investigate and remediate, credit monitoring, lawsuits and settlements, regulatory fines and penalties and notification expenses. Indirect costs include business disruption, network downtime, loss of reputation and customer turnover.
The IBM/Ponemon “2017 Cost of Data Breach Study,” which interviewed individuals from 63 U.S. companies in 16 industry sectors that had suffered at least one breach in the prior 10 months, found that the average cost of a data breach was $225 per lost or stolen record. Of that amount, $79 represents direct costs and $146 is attributed to indirect costs.
To calculate these amounts, the researchers asked respondents how many records were affected in the breach, what percent of their organization’s customer base was breached and how much the organization spent on various activities to discover and respond to the breach. Of the companies interviewed, the number of breached records per incident ranged from 5,563 to 99,500. That translates to a cost of $1,251,675 to $22,387,500.
Think about what kind of costs your company could incur from a data breach. Are you an online retailer? A 2014 study performed by Avaya found that 80 percent of companies lose revenue when the network goes down, averaging losses of $140,000 as a result of network outages. If you are in the financial sector, those losses climb to $540,358 per incident.
Now think about what would happen if your IT professional had to stop focusing on keeping the computer systems working to turn his or her attention to investigating and remediating a breach. Once detected, it takes an average of 55 days to contain a breach. Ponemon’s “2015 Cost of Cyber Crime Study: Global” found that business disruption accounts for 39 percent of total external costs, which includes business process failures and lost employee productivity.
In addition to losing employee productivity, hiring a forensic expert to help identify and resolve the breach could cost over $15,000 per week. Notification costs, which include activities such as developing a contact database, engaging outside experts (state notification laws are based on the location of your customers, not the company’s headquarters), determining regulatory requirements, paying postage and staffing call centers averaged $690,000 per breach in 2017.
And if your company is in a regulated industry, fines and penalties can be steep. Depending on the level of neglect, HIPAA violations can result in penalties ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million. Financial institutions that are governed by the Gramm Leach Bliley Act can be fined up to $100,000 per violation, and officers and directors of the financial institution can be personally fined up to $10,000 for each violation.
Now that you have an idea of how much a data breach could cost your company, consider how much it could save by investing in cyber security. Ponemon’s “2017 Cost of Data Breach Study” highlights 20 factors that can increase or decrease the average cost of a breach. For example, having an incident response team already organized and ready to spring into action decreases the cost by $25.90 per record —over 10 percent. Extensive use of encryption reduces the cost by $22.50 per record and training your employees reduces the cost by another $16.80 per record. If you add insurance protection, you can further reduce the price tag of a data breach by $9.90 per record. Investing in these four relatively inexpensive areas could reduce the cost of a data breach by $75.10 per record. If 10,000 records are stolen, the investment could save you $750,000.
How much would it cost to implement these cyber security controls? Cyber insurance is typically priced based on the class of business and the amount of revenue, with premiums starting around $1,000. A business in a neutral class with revenue of $10 million could expect to pay a premium of around $8,500 for $1 million in coverage. Based on research carried out by the Ponemon Institute in 2012, the total cost of ownership for full disk encryption averaged $232 per user, per year. And the cost of training your employees and organizing an incident response team? That is largely a matter of investing company time to understand your own systems and processes, develop an information security policy and corresponding incident response plan, and train your employees on those procedures.
You may already have someone in your company savvy enough to do this for you. If so, then an excellent starting point is NIST’s reference guide, titled “Small Business Information Security: The Fundamentals” (Nov. 2016), available here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.
Or, it may be more cost-effective for your company to hire a cyber security professional to perform a risk assessment, draft an information security policy and train your employees on how to be good stewards of your company’s information.
Whichever path you choose, spending capital on cyber security today may be the best investment your company makes this year.
Tammy B. Georgelas is a cyber security and litigation attorney at Parsons Behle & Latimer, based in Salt Lake City, who advises clients on data security, breach prevention, information security policies and response strategies, including compliance with state and federal laws.