Security Breaches Cost $90 To $305 Per Lost Record
Forrester Research surveyed 28 companies that had some type of data breach and found it difficult to calculate the expenses that resulted.
While security breaches can cost a company dearly when it comes to a marred public image and a loss in customer confidence, the actual financial costs can be staggering.
The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. The research firm surveyed 28 companies that had some type of data breach.
"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," wrote senior analyst Khalid Kark in the report. "Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped, and it's important to be able to make an educated estimate of its cost."
Kark said calculating the cost of a breach is murky territory and he did the survey to shed some light on the costs associated with breaches, which seem to be reported with increasing frequency.
A recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Kark said the majority of organizations will incur a wide array of associated costs, sometimes significant enough to even put them out of business
Kark noted in the report that "it may seem like an impossible task to put a dollar value to your data breach exposure, given the variance in the numbers reported in the media," he wrote. "You will be doing a service to your business if you are able to make reasonable assumptions about your business and develop an estimate."
He reported that discovery, response, and notification costs can be substantial. He averaged them out to be about $50 per lost record. These costs generally include outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers. "Forrester has seen a slight increase in this cost due to the increasing number of jurisdictions and circumstances to which breach disclosure applies, but we estimate this cost to be somewhere in this ballpark in the next few years," Kark added.
Lost employee productivity also is a significant cost. When employees are diverted from their normal duties, or contractors are hired to respond to data breaches, the company incurs additional expenses, according to Kark, who noted that the Ponemon Institute calculated that this cost had increased 100% in 2006, going from $15 per record in 2005 to $30 per record in 2006.
Kark also added that the increased public attention to security breaches is contributing to this price increase. "Forrester surmises that the two primary reasons for this increase have been the distractions caused by press coverage of data disclosures and the growing number of regulations and contractual obligations organizations must satisfy," he said. "Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future."
The report also noted that managers need to plan ahead for possible regulatory fines, loss in the company's customer base, restitution fees, and additional security and audit requirements.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.