If you’ve ever worked with an MSP (or read this blog), you’ve probably heard warnings about protecting yourself against data breaches. They’re dangerous, inconvenient and, above all else, costly. But saying one data breach can bankrupt your business isn’t gloom-and-doom hype – it’s the truth.
Calculating the overall cost of a breach
There are a number of factors that go into calculating the total cost of a data breach, so it can be challenging to come up with a particular price tag. However, the Ponemon Institute and IBM’s 2016 Data Breach Study establishes some general financial benchmarks.
According to their report, the total average cost of a breach is around $7 million, with each compromised record costing a company about $221. This $7 million figure can be broken down by categorizing costs as direct and indirect. The former includes any action taken to assist victims and minimize the effect of data loss (e.g. legal fees, ransom payments), while the latter includes reputation damage and resource time. Studies have shown that companies actually spend more on the indirect elements of a data breach.
What costs are associated with a breach?
When a business suffers a data breach, the long-lasting effects go beyond simply restoring or buying back lost data. Some of the most common direct and indirect costs include:
- Loss of customers: Any widespread data breach results in loss of existing customers, as well as dissuasion of prospects – a large percentage of surveyed adults said they would not work with a business that has been breached.
- Business disruption: This term encompasses lost revenue due to things like decreased employee productivity and business process failures.
- Legal fees: Dealing with the fallout of a breach typically involves legal counsel, especially if class-action lawsuits are filed. Some companies have had to pay out upward of $10 million in the aftermath of a breach, not including legal fees.
- Regulatory fines: Depending on your industry, you may face noncompliance fines levied by regulatory agencies such as the Federal Communications Commission (FCC) or the Federal Trade Commission (FTC).
- Stolen revenue: If your network has been breached, there is a chance the hackers will gain direct access to your accounts.
- Notification and public relations: 95% of states have legislation requiring companies to notify individuals of breaches involving personally identifiable information, which can include postal expenditures, email systems, inbound communication setup and resource time. Most companies also retain a PR agency to communicate with media, victims, stakeholders and employees.
- Identify theft repair and monitoring: When a data breach occurs, businesses must fund follow-up actions to ensure the integrity of the victims’ identities, such as reissuing credit cards and paying for credit monitoring.
In short, one significant data breach is usually all it takes to bankrupt a small- to medium-sized business. There are a lot of things companies can do to protect themselves from data breaches: ensuring compliance, implementing encryption, installing thorough security packages with anti-virus software and firewalls, and, most importantly, providing user education. At MyITpros, we encourage all businesses to put together incident plans in case of a breach. Feel free to contact us today to discuss your security needs.