Setting the Scene
It’s 4AM. Somewhere on the other side of the world your third-party development team is hard at work migrating your system to the cloud. It is difficult, fatiguing work but the team is meeting their deadlines and delivering within budget as planned. Suddenly as the result of a system glitch, a human error or possibly a malicious attack 25,000 customer records are breached. If you are like most companies, this incident will not be discovered that night, the morning after or even in the weeks to come. It will take you more than six months to discover that anything has happened and an additional three to four months to contain the breach. Your world will be embroiled in lawsuits, business disruption and revenue loss including the loss of customers you never had and irreparable damage to your brand’s image in a nightmarish corporate snafu that will last for years to come. This is the unfortunate case for many that suffer data breaches. Incidents like this one grow more common, more costly and more difficult to contain every year.
You ask yourself, “Why is this happening?” Data breaches are caused by one of three possible causes stated earlier: system glitches, human error or via malicious attacks. Malicious attacks are not only the most common cause of a data breach, they are also the most costly. According to the Cost of Data Breach 2019 Report, the average data breach in 2019 cost $3.92M whereas the average breach caused by a malicious attack cost $4.45M. What makes a data breach so costly? Data breaches take time to contain. In 2018 the average lifecycle of a data breach (the time it takes to identify and contain a breach) was 266 days. In 2019 that number rose 4.9% to 279 days. The average data breach lifecycle now is 206 days to identify the breach and 73 days to contain the breach. The reason breaches caused by malicious attacks are the most expensive is because they take the longest time to contain, 314 days which is an increase of 12.5% over the average breach lifecycle. The faster a company can identify a data breach, the lower the overall cost. Incidents with a lifecycle less than 200 days are on average $1.22M less costly than breaches with a lifecycle of more than 200 days. Breaches need to be identified fast and handled appropriately in order to mitigate cost as much as possible.
The horror of a data breach is not over once it is contained. There are other lingering factors contributing to the losses accrued due to a breach. This period of two years or more after the breach has been contained is called the “Long Tail.” Roughly one third of data breach costs occur more than one year after the initial data breach incident. On average 67% of costs are seen within the first year due to the initial response and breach containment, 22% of costs are seen in the second year and 11% of costs are seen more than two years after the breach. The Long Tail is even more serious of an issue for companies in highly regulated environments such as the financial, healthcare and energy sectors. These organizations saw averages of 53% of costs in the first year, 32% in the second year and 16% in the third year. This is due in part to legal costs and regulatory fines associated with containing a breach in a highly regulated environment.
Lost business is the biggest contributor to the cost of a data breach and small businesses are the biggest losers in these situations. The average cost of lost business due to a breach is $1.42M or 36% of the total. Breaches caused an abnormal customer turnover in 2019 of 3.9%. A smaller business of between 500-1000 employees had an average breach cost of $2.65M or $3,533 per employee.
Larger organizations of 25,000 employees or more average only $250 per employee. The situation for smaller companies therefore is magnitudes worse than for larger ones. In a social media world, your online reputation is everything. Online reviews, comments, tweets, likes and hits influence the reputation of your brand which is why the effect of a breach is often so immediate and the response so costly. Smaller companies have less money and do less business which is why a breach for them is so much more dire of a situation, one that can force them to fold in a year or less. This disproportionate cost combined with the loss of business can make a data breach a death sentence for those smaller companies that are unprepared to deal with breach incidents.
Factors that amplify the average cost of a data breach include third-party involvement, compliance failures, extensive cloud migration, and system complexity. If a third-party, possibly like the one we saw in the scenario at the beginning of this article, caused the breach the total cost increased by $370,000 to a total cost of $4.29M. Major cloud migrations occurring during a breach increased the cost by an average of $300,000 to a total cost of $4.22M. “What then are we supposed to do? Those are unavoidable scenarios. We utilize third party providers as part of our business model, and we have been planning on moving to the cloud for years now. How can we avoid breaches and still stay in business?” Lucky for you, in addition to breach cost amplifiers, there are also cost mitigators both technical and organizational.
Can we use AI?
Organizations employing automated security solutions such as artificial intelligence, machine learning, analytics and automated incident response saw significantly lower costs after experiencing a breach. Those companies without any of the tools listed above experienced breach costs 95% higher than breaches at organizations with fully deployed automation ($5.16M vs $2.65M). These are not the only methods for reducing costs. Organizational changes can also be a factor in reducing the potential cost of a breach. The formation of an incident response (IR) team and extensive testing of the IR plan reduce the average total cost by as much as $360,000 and $320,000 respectively. Organizations that employed both saved an average of $1.23M compared with organizations that neither formed an IR team or IR plan whose average data breach cost was $4.74M. Combining both saved companies $410,000 on average. A DevSecOps approach that instills security testing and design in the development process saved $10.55 per compromised record while system complexity increased costs by $10.96 per record, the average number of records lost during a breach being 25,575 records per breach. If a DevSecOps approach is used the average amount that a breach would be reduced by is $269,816. Extensive use of encryption reduces the cost by $12.25 per record or $313,294. Combining all four cost mitigating factors reduces the overall cost of a breach by an average of $993,110 or 25.33%. Over a quarter of the overall cost of a breach can be mitigated using these four steps.
An Once of Prevention …
As data grows and the world becomes increasingly digitized, breaches will become even more regular an occurrence. The odds of a breach occurring in an organization within two years increased between the years 2018 and 2019 from 27.9% to 29.6%. This is up from the 2014 likelihood of 22.6%, a 31% increase in odds over 5 years. Regardless of the steps taken to secure sensitive data, malicious actors will always find new and better ways to cause a system breach. The best way to protect yourself and your organization is by preparing for the incident before it happens. This must be done through a combination of organizational and technological methods to ensure the safety of your customer and employee information. The solutions are out there. The question is, what are you going to do to protect your brand, your reputation and your business?
Data breaches can be costly and confusing. Avoid hefty fines and headaches by reaching out to experts like Axis to take care of your data compliance. With over 19 years of experience, Axis will design a business process and execute an implementation that will ensure you avoid hefty fines.