Hidden Costs of a Data Breach

Don't consider just the initial costs. Hidden factors include remediation, revenue loss, reputational harm, national security — even human life.

Jerry Caponera, Vice President, Cyber Risk Strategy, ThreatConnect

February 22, 2022

5 Min Read
The word HACKED sitting among computer code
Source: Anthony Brown via Alamy Stock Photo

If you knew that putting a lock on your front door would lessen the likelihood of your valuables being stolen, would you install a deadbolt? The logical and simple answer would be: yes.

The Internet wasn't built with security in mind. There is no deadbolt to protect against all digital threats. It was built to be easy and fast, not to withstand sophisticated attacks from global threat actors. As technology has evolved, so have business and risk models. However, many organizations today still don't fully understand the costs associated with data breaches or which factors must be considered when implementing tools to prevent future attacks.

When it comes to security against data breaches, companies tend to focus only on the likelihood of an attack on their systems or the magnitude of attacks in their industry. Only looking at headlines about an increase in data breaches can't be the sole indicator of risk. To have a better understanding of what will happen if a company shores up its defenses, the magnitude and the likelihood of an attack must be viewed together. The two have a direct correlation.

Cybersecurity Must Become a Conversation About Risk
Understanding risk and realizing the true costs of a data breach are key in making informed investment decisions. Once the risk of a data breach is understood in the context of likelihood and magnitude, a company should consider the cost of a data breach or ransomware attack versus the cost of prevention. And the true costs of a cyberattack are often not realized until a company is past a breach. Most companies only consider the extortion cost of a ransomware attack, but in many cases that tends to be a smaller number in the grand scheme of costs. When it comes to cyber-risk, context is key.

Whether the problem is a data breach or ransomware attack, costs can get overlooked but must be considered when deciding how much to invest in cybersecurity prevention. These hidden costs include remediation, revenue loss, reputational harm, national security, and human life. Not all of these are measurable, tangible risks, but all factors must be taken into consideration when assessing the true and total cost of a data breach.

Monetary Costs
Legal costs are one of the largest expenditures for data breaches, with remediation costs, GDPR fines, healthcare data loss, notification costs, or other macro losses following in magnitude. For ransomware attacks, data and experts tend to focus on the cost of extortion (the ransom payment) and don’t focus on the larger picture of revenue loss.

Cyberattacks can freeze critical systems for a company, resulting in decreased production output, which can lead to lower profits or a loss of customers.

Companies holding confidential client materials, medical records, Social Security numbers, addresses, or other highly protected information are at great risk of losing trust and business as the result of a cyber hack. A data breach can make its way into the public eye leading to reputational harm and a loss of potential customers who have lost trust.

Critical Infrastructure & National Security
Research in Experian’s 2022 Data Breach Industry Forecast indicates that threat actors will “more frequently target physical infrastructures like electrical grids, dams, or transportation networks. Hackers may target funds disbursed by Congress that are intended to rebuild U.S. infrastructure.”

Supply chain crises such as the Colonial Pipeline indicate the urgent need to consider cyber-risks associated with national security. Attacks against the government or government contractors weaken our country both economically and competitively. Further, the exfiltration of classified intelligence puts America’s security and the lives of those in the field at risk.

Cost of Human Life
Making business decisions in the age of daily cyberattacks is not just an investment challenge, but an emotional one. IBM and the Ponemon Institute analyzed roughly 100,000 data breaches experienced by more than 500 organizations worldwide from May 2020 to March 2021 and found that data breaches in healthcare were the most expensive by industry at $9.23 million on average — an increase of $2 million from the previous year.

If a hospital were to be compromised by a data breach and systems were affected, critical technology could temporarily be unavailable and result in deaths. Were this to happen, not only would a healthcare company need to account for the emotional burden and reputational damage, but it would risk exposure to lawsuits and other significant financial burdens.

Further, a 2019 Health Services Research study indicated that for every 10,000 heart attacks at a hospital experiencing a cyber breach, there were roughly 36 additional deaths beyond the typical heart attack fatality rate for hospitals.

Just as intelligence should flow through every aspect of a security program, cybersecurity should touch every aspect of a business in order to protect organizations, employees, and client data from threat actors.

Cost of Prevention Outweighs Potential Cost of Breach
The potential costs associated with a data breach or ransomware attack can be extremely high. And the losses vary by attack types as the graphs below show.

Estimated breakdown of data breach loss over time

Estimated breakdown of ransomware losses over time

When it comes to the bottom line, C-suite executives want to see a return on their security investment. Based on the potential costs of a cyberattack, an investment in cybersecurity tools is not only worthwhile, but essential.

Multifactor Authentication and Data Encryption Help Mitigate the Impact of a Data Breach
Ransomware attacks can be mitigated through technologies such as strong endpoint protection and credential management, while having strong backup and recovery helps reduce the financial impact. The costs of prevention vary based on industry, size of the organization, and the magnitude and likelihood of an attack.

Unfortunately, "it’s never too late" doesn't apply to protecting a company from threat actors. The costs of not installing that digital deadbolt can be the difference between a company meeting its quarterly goals and experiencing a costly attack.

About the Author(s)

Jerry Caponera

Vice President, Cyber Risk Strategy, ThreatConnect

Jerry Caponera, Vice President, Cyber Risk Strategy, at ThreatConnect, leads the effort to quantify cyber risk in financial terms. He's been working on cyber risk quantification efforts for a number of years and has a broad background in cyber, having worked for incident response, malware analysis, and services companies. He has spoken at a number of conferences worldwide, including ISS World MEA, InfoSecurity Russia, and TM World Forum. He holds an MBA from the University of Massachusetts, an MS in Computer Science from the University of Pennsylvania, and a BS in Electrical Engineering from the University of Buffalo.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights