According to recent Trends in Cybersecurity Breach Disclosures report, the average cost of a data breach for a publicly traded company is $116 million.
However, it’s worth bearing in mind that this figure will be skewed by the largest cases.
The report is based on 639 cyber-security breaches that took place since 2011, and includes some of the largest breaches we’ve seen to date, which include:
- The Equifax breach, which was disclosed in 2017, and cost around $2 billion.
- The Home Depot breach, which was disclosed in 2014, and cost around $298 million.
- The Target breach, which was disclosed in 2013, and cost around $292 million.
- The Marriott breach, which was disclosed in 2018, and cost around $114 million.
- The Facebook breach, which was disclosed in 2012, and cost around $5 billion.
It should also be noted that approximately 26% of companies are repeatedly targeted by cyber-criminals. These companies include Facebook, Sony, Amazon, Comcast, and T-Mobile USA.
According to data collected from 2019, the types of data that hackers were most interested in were customer names, addresses and email addresses, accounting for 48%, 29% and 28% respectively.
In 2018, the types of information that were most frequently stolen during a data breach included names and credit card details. We’ve also seen a 500% increase in the number of stolen Social Security Numbers (SSNs) from 2016 to 2019.
In terms of the methods that cyber-criminals used to obtain data, 34% of data breaches involved malware, 25% relied on phishing campaigns, 20% involved unauthorized access, while 12% were the consequence of misconfigured systems. Of the organizations that experienced a data breach, 43% did not disclose the nature of the attack.
In the majority of cases, it was the remediation costs and the fall in share prices values that caused the greatest financial damage. As we might expect, the theft of financial data resulted in the most significant losses.
Data Breach Response Times
According to the report, it took an average of 108 days for a data breach to be discovered, and an additional 49 days for a breach to be disclosed.
The largest recorded “dwell time” of any incident was associated with the Yahoo! data breach, which took as long as 1,649 days to be disclosed. The breach was first discovered in 2013, and then disclosed in 2016. Yahoo! was fined $35 million by The Securities and Exchange Commission for failing to report the breach in a timely manner. In 2017, Yahoo! was taken over by US telecommunications company, Verizon.
It should be noted that as security threats become more sophisticated, it will inevitably take longer for them to be identified and contained.
These days, a lot of companies rely on specialized contractors to carry out a forensic investigation before they notify the authorities.
Naturally, such investigations take time to complete, and while it is important to gather a sufficient amount of evidence about the incident before disclosing the breach to the public, a failure to move quickly could suggest that the company’s internal controls are inadequate. This could result in further damage to their reputation and incur even more costs.
For example, according to The 2019 Cost of a Data Breach Report, carried out by IBM and the Ponemon institute, the longer it takes for a company to detect and respond to a security incident, the more money they will typically have to pay.
Organizations that have a formal well-tested incident response plan (IRP) in place will spend an average of $3.51 million to cover the costs of a breach, whereas organizations that don’t have an IRP in place spend an average of $4.74 million.
As you can see, it’s a double-edged sword. It is important to understand what happened before disclosing the breach, but if it takes too long, it could end up costing the company more money than what this knowledge is worth.
How Can Organizations Minimize the Cost of a Breach?
Incident response is typically broken into key phases, which include: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.
However, in the context of minimizing the cost of a breach, the ability to identify, contain and disclose the breach in a timely manner is where our focus should be.
Once the breach has been disclosed, you can then move on to ensure that the breach has been eradicated, and then get your system back to its operational state.
To help speed up the identification process, it is imperative that you are using technologies that provide visibility into the types of data that were affected, and the events that took place prior to the incident.
To start with, it helps if you have a concise inventory of what data you have, where it is located, and how the data is classified. If only a certain server was affected, you can use this inventory to make an informed assessment of the data that was compromised.
A data classification solution will automatically scan your file system for sensitive data, and classify the data based on the privacy laws that are relevant to your organization. Doing so will greatly simplify the process of carrying out a forensic analysis.
Of course, data classification isn’t much use on its own, but it will streamline the process of assigning access controls to critical assets. In addition to a data classification solution, you will need to ensure that you have a detailed log of all events concerning your sensitive data.
A Data Security Platform will aggregate and analyze event logs from multiple sources, including most popular cloud platforms.
Using these solutions, you can carry out a detailed search of all events that took place prior to the incident. Most real-time auditing solutions are capable of automatically generating reports that are customized to meet the requirements of the most salient data protection regulations.
While adopting these solutions may require an initial upfront cost, they will allow you to disclose the details of a security incident to the supervisory authorities in a fast and efficient manner, thus potentially saving significantly more money than what was spent on the solution.