Data breaches are an ever-present danger in the modern world. The shift towards digital-first business models and increased adoption of remote working have only accentuated the threat — moving more data online and creating new avenues for attack.
Consider this: one small business experiences a data breach every 19 seconds in the UK alone.1 But frequency isn’t really the problem here – it’s the consequences that should scare you. 60% of small companies close within six months of being hacked — and a lot of this has to do with the direct and indirect costs of that breach.2
It’s important to remember that the financial impact of the data breach isn’t limited to direct costs such as fines, remediation and disaster recovery. The damage caused to customer trust can be far more costly over the long term. Thinking about these real consequences is critical to making sure that the right choices are made today and that security measures are taken that are proportional to the risk you face. Here, we will take a look at the different costs of a breach, what causes breaches, and what you should do to minimise the risk of your organisation being breached.
Suggested reading: If you are struggling to get the support you need to invest in a better cyber security solution, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management.
The Many Different Costs of a Breach
According to IBM, the average cost of a data breach in the UK in 2020 was $3.9 million (roughly £2.76 million).3 This was up 10% over the previous five years, showing a continued upward trend. The costs incurred by a breach can take many forms. Let’s review each of them:
Cost #1: Compensation to Affected Customers
When a cyber-attack compromises personal data, affected customers may be entitled to compensation due to the loss of control of information, the distress caused and the financial losses incurred.
To illustrate, Equifax — the multinational credit reporting agency — was required by the Federal Trade Commission to pay up to $125 million in consumer compensation following a massive data breach via Apache Struts in 2017.4
Cost #2: Breach Investigating Efforts
Conducting an investigation is necessary after a data breach. It’s essential to clarify what exactly caused the breach to prevent it from happening again. The investigation will involve several steps such as gathering evidence by capturing data, interviewing employees who discovered and/or reported the breach, analysing the breach, and creating breach reports.
This can be a long and costly process that hinders productivity within the organisation. Moreover, hiring a firm to conduct a cyber-forensic investigation may incur a significant cost as well — anywhere from £10K to £100K.5
Cost #3: Potential Legal Fees Resulting From the Breach
Legal fees are not uncommon following data breaches. Organisations may be required to pay fees if customers demand compensation for the loss of personal data, and if penalties are imposed for non-compliance with regulation. To go back to Equifax, the company had to pay $2 million in legal fees to US financial institutions.6
Cost #4: Penalties for Non-Compliance With Regulations
Another cost is paying penalties for non-compliance with regulations like General Data Protection Regulation. The GDPR is the legal framework that sets guidelines for the collection and processing of personal information from individuals. The UK GDPR and the Data Protection Act 2018 set a maximum fine of £17.5 million or 4% of annual global turnover, whichever is greater, for infringements.7
For example, some of the biggest GDPR fines in recent years include a $26 million fine paid by British Airways due to a lack of security measures that led to a breach affecting 400,000 customers.8
Cost #5: Reputational Damage
A damaged reputation is a severe blow to an organisation’s image and hurts the bottom line in the long term. Losing customer and investor trust results in increased costs and a potential decrease in sales. For example, in 2016, TalkTalk lost over 100,000 customers after a cyber-attack, along with a third of its company value.
For small businesses, this reputational damage can be hard or even impossible to overcome, which is a large contributing factor to the high failure rate of small businesses following a breach. However, for large organisations, the total costs can be higher — even if it’s less likely to result in an existential failure. For example, an Oxford Economics study revealed that the value of a company’s shares fell by an average of 1.8% following a breach.9
Cost #6: Downtime
The cost of downtime can escalate rapidly if recovery isn’t quick. In addition to the cost of fixing downtime (paying a ransom, restoring data), there is also the loss of revenue which can be a severe blow if sales are mostly made online.
But perhaps the biggest cost tied to downtime is the loss of productivity. Having collaborators unable to work during downtime causes financial damage to organisations, and the longer this situation lingers the larger the cost becomes.
The Various Causes of a Breach
The reality of cyber threats is that cyber attackers are always looking for new ways to access, steal, or compromise data. Cyber security is never a 100% guarantee. It’s about minimising the chances of a data breach in order to mitigate the damage (and financial cost) if one does occur.
Common causes of data breaches that you need to understand include:
- Physical actions: Individuals may steal paper documents and devices like laptops, phones, CDs and DVDs, or storage devices.
- Unauthorized use: Employees can misuse business or personal information they’ve been given access to by copying or sharing it. But this isn’t always malicious — sometimes an employee may stumble upon sensitive information if information security is weak.
- Malware: A common type of cyber-attack, malware encompasses ransomware, spyware, RAM scrapers (which can scan the RAM of digital devices to collect sensitive data), and other forms of malicious software.
- Social engineering: This includes cyber-attacks like phishing and encompasses all types of attacks that seek to trick individuals into providing information or access to cyber criminals.
- Human error: One of the most common causes of breaches is sensitive information being sent to the wrong person by mistake. Likewise, a misconfiguration can leave a database containing sensitive information accessible online without adequate restrictions.
- Criminal hacking: Hackers are more active than ever — spreading harmful computer code, stealing weak passwords, and extracting information to sell it or commit fraud.
While it is impossible to eliminate the risks of hacks, an effective and proactive cyber security solution is essential to minimise the probability and potential costs of a data breach.
What You Need to Consider to Stop a Breach
The causes of data breaches are numerous, and taking preventive measures for each one can prove challenging. Luckily, there are solutions you can deploy. Critical strategies to consider include:
- Managed Direction and Response (MDR): An outsourced response team that monitors your network and addresses threats before they turn into breaches. MDR allows your organisation to benefit from best in class response teams without having to hire those skills in-house, and is a critical part of creating a flexible and responsive security posture.
- Endpoint security: Endpoint security is the technology that makes MDR possible. It focuses on monitoring communication between endpoints (devices like desktops, laptops, and mobile devices) and your system as a whole. It then uses automation and human response to remediate threats actively.
- Mobile Device Management (MDM): With more people working from home and greater acceptance of BYOD, having a holistic MDM security policy is critical to managing all of those devices and delivering secure outcomes.
- Cyber-awareness training: There are plenty of technical solutions to cyber security, but you need to remember your people too. Particularly when it comes to phishing and social engineering attacks, awareness and general operational vigilance are critical to keeping your organisation safe.
- Managed service providers: Cyber security services can deliver on-demand access to experts and let you side-step the cyber security skills shortage. This is a critical and flexible resource to consider when looking to effectively deploy any number of defensive and reactive strategies to combat the threat of a breach.
Investing in In-depth Defences
Cyber security is a never-ending journey. No organisation can ever be protected from a data breach fully, but with a multi-layered, in-depth defence strategy, the chances of a breach can be reduced significantly, and its consequences averted.
Support Will Stop Threats from Becoming Breaches
Paying for effective cyber security in the short term will save you the colossal costs resulting from a breach. Having strong defences protects your organisation from downtime costs, lost business, and reputational damage. Indeed, the ROI of dedicated support far surpasses its investment.
At Six Degrees, we understand the stakes of cyber security and the challenges of implementing it. As a managed services provider, we help our clients bolster their cyber defences and keep the probability of a breach to a minimum. Interested in cyber security for your organisation? We can help. Reach out today and we will schedule an assessment.
- UK Data Breach Statistics
- 14 Aug 60 Percent of Small Companies Close Within 6 Months of Being Hacked
- Cost of a Data Breach Study – United Kingdom
- Case Study: Equifax Data Breach
- What Does a Cyber Forensic Investigation Do and How Much Does It Cost?
- GDPR Penalties and Fines | What’s the Maximum Fine?
- GDPR Penalties and Fines | What’s the Maximum Fine?
- The biggest GDPR fines in 2020 and 2021
- What Is the Real Cost of a Data Breach?