4 Factors to Consider When Calculating the Cost of a Data Breach
Data breaches are one of the most common types of security incidents. It is quite possible, although it may be hard to prove, that every company around the globe was at some point a victim of information leakage.
For instance, a breach may be as simple as accidently sending an email with corporate information to the wrong recipient, or as complex as a former executive breaching a confidentiality agreement. Breaches may occur from widespread technical vulnerabilities such as an unexpected CPU design flaw, or from human error like failure to follow corporate procedures. The level of impact can vary from just a small nuisance to recovery expenses in the millions.
To put it simply, every company should at least plan for the unforeseen consequences of a data breach — this includes estimating the costs of varying levels of data breaches. This task, however,may be more complex than most people would initially assume.
Here are four areas to consider when calculating the cost of a data breach.
- Contextual Factors: Location, Industry and Data Types Drive Breach Costs
Breach costs can vary based on the business context. For instance, business geographical location, state or country will have direct impact over legislation-related costs, while the branch of industry will define what regulations the company must follow. Internal factors such as the maturity of security controls (and whether or not they exist) will affect the level of data exposure and can minimize the cost of incidents. These include availability of an incident response team, use of encryption technology and employee training.
Other factors include the number of leaked records and their nature, or how much are they worth to the company and clients. If breached information includes personal data or financial information, resulting profit loss or the cost of a class action lawsuit should be factored into breach cost calculations.
Once a severe security incident becomes public, depending on the scale of the occurrence, it only takes a few hours for most major publications to put it in their headlines. It takes even less time for it to spread through social networks. If a company is not ready to deal with the public backslash, this can have a drastic impact on the incident cost.
For instance, once the Equifax leak became public, the company stock price dropped from $142.72 to $92.88 in a matter of days. It is quite obvious that after leaking personal data of over 143 million victims, company value will be negatively affected. However, it was made worse when some Equifax top executives dumped stock before the hack news went public.
Having a crisis management team aligned with both the incident response team and communications team will establish an official communications channel. This allows the company to explain what happened and promptly help affected parties. Also, having executives behaving ethically in a time of crisis is always a sound way of reducing damage to corporate reputation.
Depending on the existing security controls and the nature of the breach, an incident can go for days, weeks or even years without any sort of detection. It is quite simple: The longer it takes to discover a data breach, the greater its cost can be. If a data leak is detected in its initial stages, it may be contained before causing any impact.
For example, if a data leak prevention (DLP) system sends an alarm after a confidential or sensitive file is copied to a USB drive without authorization, the perpetrator could be detained even before leaving the building, thus minimizing any impact. If this same incident goes without detection, the breached information could discreetly be sold to an unethical competitor or be traded for Bitcoins on the Dark Web. Assuming this could go on for an undetermined period of time, the impact and cost of the data leak could increase exponentially.
Unfortunately, even the best laid security strategy can fail. A recent example is the Meltdown and Spectre vulnerability discovered in June 2017 and made public in early 2018. This severe security flaw exposed most modern CPUs and could lead to the leak of passwords and sensitive data. So far, there are no confirmed cases, but this issue has been present in most systems for the last decade. It is also quite difficult to detect, as the exploitation does not leave any traces in traditional log files. This means it could have been used to steal information, even from companies with the best protection technology.
In summary, a level of uncertainty will always be present when calculating the cost of a data breach. Even with a proper security architecture, there is always the possibility that an unknown factor that could jeopardize an entire protection strategy.
The cost of a data breach can be rather difficult to estimate, but it is far from impossible. If you take into consideration the corporate context, both internal and external factors, the nature and number of records involved in the leak, the ability to promptly detect incidents and leave room for an acceptable level of uncertainty, cost estimates can be highly similar to a real case.