According to IBM’s Cost of a Data Breach report In 2021, data breach costs rose from $3.86 million to $4.24 million, exhibiting the highest average total cost in the 17-year history of their report.
A new report from the Department for Culture, Media, and Sport (DCMS) has revealed that data breaches have become more costly for medium and large businesses in the UK. The report shows how medium-sized and large firms lost an average of £19,400 in 2021. This is an increase on 2020 where the reported number was £13,400. Interestingly, when we consider businesses of all sizes, the amount dropped to £4,200. This is a significant decrease from £8,460 in 2020.
Every year, many reports like this provide insight into what is happening around us and the ever-increasing costs of data breaches and cyber attacks. They are valuable because they give us insights into the price, the methods used, and how organisations respond to the increasing threats. However, we need to treat these reports with a degree of caution because they do not, and cannot, offer an accurate depiction of what is happening out in our digital universe and the impact of data breaches. This is not a complaint of the researchers themselves, but rather an observation that there are just too many factors we are not considering when calculating the size of the problem or the cost of the impact.
Although reporting on the financial impact of a data breach is essential and valuable, it is too arbitrary and does not give us the actual cost of a breach which is harder to quantify. Of course, it’s a good statistic to take to the board room and justify your cybersecurity budget, but we should also consider the less tangible impact of a breach because the costs and impact on business are far higher than the numbers reported show us.
Following a breach, there are often hard conversations that have to be conducted with customers, clients, and employees about what has happened. Before understanding how the breach occurred, or the financial impact is calculated, phone calls, emails, and press releases have to be crafted. With every communication, there is a chance of losing a client and the negative impact on the organisation’s reputation increasing.
Of course, this does not mean organisations should obfuscate the event and try to avoid having these conversations, as this will undoubtedly be worse for them in the long run. If an organisation is open and honest about what has happened, then the chances are that many (not all) of their clients, suppliers, and employees will be forgiving. This is especially true if they have suffered at the hands of organized cybercriminals. But this is a risky strategy to cling onto, as patience and generosity of spirit are often in short supply when an organisation discovers that they are the actual victim of a successful attack.
Back in 2013, the US retailer Target was compromised by cybercriminals, which affected 41 million customers. Target detected the breach in 16 days and disclosed it to the public 20 days after discovery, but many customers were unhappy about the length of time it took for the retail giant to disclose the breach.
This undoubtedly affected their share price for a considerable period. Of course, any company’s share price is the financial demonstration of a company's reputation and standing.
Compensation and Fines
The impact on reputation is one which we turn to most often when considering the cost of a breach, but there are other factors to consider.
A data breach can lead to claims for compensation and possibly even sanctions and fines being placed on an organisation. The Information Commissioners Office (ICO), which is the supervisory authority in the UK, oversees the governance and compliance with the UK Data Protection Act and the EU GDPR. Following a breach, an organisation may have to explain itself to the ICO, who may then take action. No matter what form of sanction this may take, lawyers will invariably get involved, and the financial impact of a breach quickly escalates once again.
But following a breach, there is an impact that is often forgotten or not discussed that has a financial hit but is less evident on the first assessment.
The Human Impact
When a breach occurs, there is a flurry of activity to establish what has happened and what actions need to be taken. The incident response team will step into action, follow their plans, and judiciously work to get the business up and running.
During the response and recovery process, there is pressure on those involved to be fully engaged and present to ensure the recovery can happen as quickly as possible. Holidays are cancelled, and personal commitments such as childcare or care for relatives are ignored – the focus is now on business survival or recovery.
Therefore, the stress placed on the participants in the recovery team is substantial and often neglected when considering who should be part of your recovery team. Being calm under pressure is an expectation of most leaders and managers. Still, a data breach or cyber event is not an event that many people will face (thankfully) daily. Therefore, how people react and respond to a violation will differ considerably, but however they respond, the truth is that it will initially be a human response.
I want you to be under no illusion here; When a breach occurs, your team's first response will be “how does this impact me? Am I to blame?” This may be a fleeting thought, but it will still be there. This causes stress and anxiety as the person struggles with personal and professional responsibilities.
It is little wonder that recent research revealed 24% of Fortune 500 Chief Information Security Officers (CISOs) last just one year in the role, with the average tenure being 26 months. But what of the IT team members? Or the others in the response team? How long do they remain after an incident occurs?
Of course, stress and anxiety can cause mental health problems, and if we are to return to the balance sheet, productivity issues will lead to more financial losses.
Calculating the cost of a breach quite rightly comes down to what we can enter onto a spreadsheet, but we shouldn’t just look at the obvious financial implications of a breach. We need to consider all aspects of a breach if we are to get close to understanding the actual cost. This means considering the impact on our reputation, lost opportunity costs, impact on productivity, increased operating costs, compensation and fines, and finally, impact on our people.
The impact on our people is often the most difficult to calculate as there is no clear indication of when the effect may be felt; team members may begin to look for another role the moment the business has started to recover and may never mention the breach as being a catalyst for leaving.
The purely financial cost of a breach can be a line on a spreadsheet, but the actual cost of a breach is far more profound. It is an erosion of trust of both internal and external stakeholders.
Therefore the real question and calculation we should be asking and making is: What price do you place on trust?
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.