Tolga’s Blog

Calculating the cost of a data breach

Tolga Turegun -

Did you know that in 2022, according to independent research conducted by Ponemon Institute which is published annually by IBM Security, the average cost of a data breach was slated to be $4.35m (USD)?

If you work in IT, you've probably seen that number thrown around quite often - usually by vendors or consultants that try to justify the cost of their own products and/or services that cost less than $4.35m and must therefore be a great investment.

On a side note, did you know that when someone steals your wallet they'll probably take all of the cash inside of it? If you give me just 40% of that cash right now. I can keep your wallet and the remaining 60% safe for you.

The figure is quite striking - and that's the point and why you might've seen it bandied about - but it's worth digging a little deeper to understand what sort of costs your organisation might face should it be breached.

So without further ado, let me share with you a few of the costs that may come along with a data breach.

Loss of productivity

Increased productivity typically leads to increased income, so naturally decreased productivity due to a data breach is almost certainly going to lead to a decrease in income.

Employees may be unable to access the system(s) that they use to be productive and thus be unable to fulfil their job duties, or they may be drawn away from regular duties to assist in responding to the data breach - and that won't be just your IT staff but most likely others like your HR, legal, marketing and communications staff as well. Not only this, but all of these employees are still getting paid regardless of whether they're able to be productive or not.

If you can quantify the values applicable to different functions and systems impacted in your business, you can calculate the cost of lost productivity. If you can't, you can still see how much you are paying employees to not do their job with a simple equation like the following example:

Cost of lost productivity per hour = average salary (as an hourly rate) x # employees

A hypothetical organisation of 1000 employees earning $50/hr on average, who are all taken offline during a cyber incident, would be looking at a cost of $50,000 per hour in lost productivity alone. Extrapolate this to days and weeks that the impact may last, and the costs continue to swell.

Lost revenue

What if the system(s) don't just enable employees to be productive, but are actually revenue generating themselves? A simple example being an e-commerce website or backend order processing platform.

You guessed it, when a revenue generating system is offline it no longer has the ability to bring in revenue.

Using the same example of an e-commerce website, your average sales data can be used to flesh out what an hour or a day offline is costing your business.

Reputational damage

Reputational damage is harder to quantify, but with many governments around the world introducing or expanding upon mandatory reporting regulations and public knowledge of data breaches ever increasing, the impact to your brand/reputation can be quite substantial.

On the lighter end of the scale, it might push existing consumers away from your business and impact the purchasing decisions of prospective new customers. On the more extreme end of the scale, it can force your business into permanent closure. I say extreme, but it is certainly more common than you think with Verizon reporting that 60% of small business suffering a cyberattack go out of business within 6 months.

This difficult-to-quantify cost and the potential ramifications highlight the need for a swift, transparent and purposeful response to a breach. Taking control of a situation whilst simultaneously being able to assure your shareholders and customers that you have done so, is paramount. And you certainly don't want to be exposed telling any little white lies.

Cost of response & recovery

So far I've covered costs outside of the data breach itself, but the activities relating to responding to and recovering from the data breach are an added cost to the business-as-usual operating costs of your business.

Some of the fairly immediate costs you'll be looking forward to include:

  • Incident response - "how do we stop this".
  • Forensic analysis - "how did this happen?".
  • Assessment and auditing - "what exactly happened and what are the impacts?".
  • Notifications to various stakeholders - "who do we need to tell and how will we tell them?".
  • Remediation efforts - "what do we need to fix, restore, reissue or resolve?".
  • Increased customer queries - "how many more phone calls do we need to handle?".
  • Customer goodwill - "what discounts, reimbursements or refunds should we offer our customers"
  • Legal costs.
  • Bringing in external consultants and subject matter experts for some of the above.

Longer term you may then look to bolster your capabilities in these areas to either prevent another incident, or improve your ability to respond if it happens again. Capability by way of systems to help with detection and alerting, or changes to company processes and policies.

Your cybersecurity insurance policy premium may also increase, and may do so regardless of whether you have been breached or not. After all, Zurich CEO Mario Greco recently predicted that cyber will become uninsurable.

Regulatory fines

As I eluded to above, governments around the world are introducing or expanding upon mandatory reporting regulations, and with this there are various fines being introduced in addition to those that may already exist.

A recent example is the federal government of Australia looking to update privacy laws to increase the maximum penalty for serious cyber breaches from $2.2m (AUD) up to the greater of;

  • $50m (AUD).
  • Three times the value of any benefit obtained through the misuse of information.
  • 30 percent of a company's adjusted turnover in the relevant period.

Different governments and different sectors are bound by different rules around the world, but regulation is fast catching up to hold organisations accountable for the third-party data they possess. In the midst of all the other costs, these fines will increasingly become the cherry on top.

The ransom

Most data breaches are met with a request for a ransom payment, hence the terminology of 'ransomware'.

In some jurisdictions, it is (or it will soon be) illegal to pay a ransom in response to a data breach in order to disincentivise cybercrime. And given that this is seen as an optional cost rather than a non-negotiable one, ransom payments often aren't accounted for in calculations around the total cost of data breaches.

The fact of the matter though is that for a variety of reasons, many organisations do choose to pay the ransom, and for them the average cost is then $4.35m plus.

In closing

When I started this blog and thought loosely about writing articles on a semi-regular basis, I didn't think I'd have a poncy "in closing" thought to cap off every article. But two articles in and here we are...

The costs associated to a data breach are not quite uniform from business to business, but those I've covered above are the sorts that can generically be applied across a large majority of businesses.

Hopefully the above breakdown has given you some food for thought on why IT is usually a bad place to start when it comes to budget cuts, and why it's vital to understand and qualify the risks of cyberattacks to your business to bolster your ability to prevent or react to them.