When it comes to the cost of a data breach vs the cost of cyber security, a business owner must make the tough choice of risking their sensitive information or expanding their IT budget to accommodate for appropriately prepared Incident Response (IR) Teams and IR Plans. 

IBM's cost of a data breach report indicates that US organizations have some of the highest fees resulting from data breaches, with an average of $8.9 million. Globally, the average cost of a data breach in 2020 was just $3.86 million. 

However, having cyber security to prevent data breaches also requires a significant amount of cash to accommodate for the necessary tools, policies, and people to keep your business's data safe--and these prices are not the same industry-wide. They vary based on an organization's unique security requirements. 

The best practice for businesses is to consider the financial impact of a data breach and weigh it against the cost of staying secure with breach prevention and detection. But how exactly does a business do that? Let's explore these challenging calculations.

Data Breaches: The Nickels & Dimes

No matter what your company's function or its size, a data breach can be financially devastating--and incredibly difficult to account for. Comparing your company to a similar company’s data breach’s costs can lead to fallacious conclusions, so we’ve gathered a list of factors that every business should consider when calculating the price of a potential data breach.

As one might guess, remediation and damages for the affected parties are on the list--but they’re just the tip of the iceberg for data breach costs. You can also lose money from:

  • Direct financial loss
  • Loss of reputation and brand value
  • Disruption of regular business activities
  • Loss of customers' trust
  • IT department re-budgeting

Each of these are important aspects to weigh and the final pricing will look different for each company. However, every business that faces a data breach will have to consider these costs.

Some Other Costs to Consider

Other considerations business should make when calculating the cost of a data breach include:

  • Industry regulations: In the data breach world, the more regulated you are the higher your fees are going to be. For example, the healthcare industry is heavily regulated, and they see costs as high as $7.13 million, vs less regulated industries like hospitality whose costs ring up just under $2 million.
  • Ransomware: This is a specific type of data breach that ransoms the information it steals back to the company. Depending on whether the company decides to pay the ransom for their information will determine how much higher their data breach costs will be.
  • Slow responses to breaches: Data has shown that the faster a company recognizes a data breach, the less they will have to pay in financial fall out. A company’s response time is so directly related to the financial costs of a data breach, that those companies that were able to identify a breach under 200 days saved on average $1.1 million. 
  • Regulatory fees: Regulatory fees come about depending on the privacy laws your company is subject to--nationally and globally. In the US alone there are 52 different privacy laws, not to mention global regulators like the UK’s ICO. These can pack a monetary punch--for example, the Marriott Hotel Chain’s 2018 data breach cost $28 million, until the ICO issued an additional $124 million in fees in July of 2019.
  • Delayed costs: The hefty cost of data breaches comes into play in the following weeks, months, and years after the attack. An analysis of stock prices for companies who had suffered data breaches showed that their stock prices suffered 14 days after the incident, and then again 12 months later. Other data has shown that only 61% of costs are paid in the first year after a breach, 24% comes in the following 12-24 months, and then the final 15% occurs 2+ years later. 
  • Remote work: The novel COVID-19 virus forced millions of workers into remote roles. IBM found that a remote access workforce can increase the average cost of a data breach by about $3.86 million.

These factors show that all companies suffer negative impacts after a data breach--in fact, companies that have suffered a malicious attack would more than likely agree that the cost of cyber security is less disruptive than the costs of a data breach. Let’s take a look at the elements that go into cyber security plans for individual organizations. 

Cyber Security: Measuring the Costs of Safety

Cyber security expenditures are usually a part of the IT services budget. Its price can be complicated to predict, as it specifically depends on a business’s present needs. A great place to start is by assessing your business for general vulnerabilities that a hacker will target.

Resolving vulnerabilities in the areas listed below and then implementing data breach prevention services will take up most of your cyber security budget.

Employee Security Training

A great place to start securing your data is by training your employees how to identify the signs of cyberthreats and what to do in response. Human error is the biggest weakness in any security plan. When it comes to cybersecurity, what you don’t know can hurt you.

Endpoint Protection

Endpoint protection considers your company’s perimeter devices such as the mobile phones, desktops, and laptops that your employees use. They need to be assessed for potential vulnerabilities as well.

Network Security

By optimizing your anti-malware, firewalls, and other network monitoring tools you can more fully protect your data.

Data Storage

Your company’s data can be stored in a myriad of ways--in physical servers, data repositories, cloud servers, and more. Each needs their own types of data encryption to ensure maximum safety.

Access Management 

These consider individual accounts--do they need stronger access control to prevent hackers from accessing sensitive data?

Ongoing Services

The computer and server maintenance services you contract with could be the type that you’d need on consistent terms--these fees are important to assess in the final accounting of your cyber security plan.

While planning out your tactics, consider bringing in an IR team (that tests their IR plan) and security automation technologies. IBM’s research has shown that these efforts can save a company $2.00 million and $3.58 million, respectively. 

Data and experience have shown that breaches are inevitable--it is better to be equipped with a predictable cost than have your company experience a drastic setback with unpredictable ramifications. 

Investing in cyber security Is Always Worth It

At the end of the day, no one really knows exactly what a data breach or a cyber security plan will cost a company. Cyber security plans depend on a company’s unique financial needs and data breaches can come in many different forms. However, IBM has reported that prepared companies end up paying less in breach fees than unprepared companies. 

The best analogy is to think of cyber security like risk management insurance. We budget and pay for homeowners and auto insurance, never knowing how or when an unexpected event can strike, but when it does happen, we’re prepared and in a better position than anyone who doesn’t have insurance. Risk management insurance is a necessary cost to factor into doing business. 

So, the question is, would you rather have a price you can budget for or one that comes out of nowhere?  

If you’re curious about the costs of cyber security for your company, call LDD and request a FREE Cyber Security Risk Assessment this month only as a risk-free way to guide you in understanding the costs of securing your business.  For more information from a panel of security experts, take a look at this episode of The Reboot, where they discuss The Real Costs of a Data Breach Compared to Security.