Petty cash won't cover the cost of a data breach

Disclosing data unlawfully or becoming embroiled in a security incident has always been inconvenient and generally costly for business. Business critical information might fall into the wrong hands or cyber attacks could take essential services offline. Indirect costs related to such incidents such as public relations, recovery, compliance checks, improvements to security measures and employing extra staff have only risen in the last few years under increasing pressure from regulators. In the mean time, the total costs including direct and indirect consequences has reached alarming levels. A current study by the Ponemon Institute with support from IBM Security calculated the average cost per incident at 3.92 million US dollars. In Germany, this figure is higher at 4.25 million euros per incident. This represents an increase of 12 percent in the last five years.

The Ponemon Institute has analyzed hundreds of costs factors associated with data breaches in its "Cost of a Data Breach" study since 2012. A total of 500 businesses were involved in the study, 36 of these were businesses in Germany. Average losses for small companies with less than 500 employees amounted to 2.5 million US dollars per incident. Such sums can easily threaten the existence of businesses with an annual turnover of less than 50 million US dollars. In comparison to last years figures, the sharp increase in costs is particularly prominent. This amounts to an increase of 9.76 percent which is the highest increase in cost since the start of the study. Ponemon claim that intensified regulation (particularly the GDPR) and complexity of criminal investigations following data breaches has caused this sudden rise in costs.

For the first time, analysts have considered the costs of not just the intermediate but also the long-term consequences of cyber attacks. Although the lion's share (67 percent) of data breach incidents are incurred within one year, a further 22 percent of these costs are caused in the second year. Businesses can expect a further 11 percent of incident costs to materialize after the first two years following an incident. Long-terms costs are higher for business in more highly regulated sectors. Health, finance, energy or pharmaceutical sectors are most likely to be hit the hardest. In Germany, average costs for each lost or stolen data record are calculated at 172 euros, a 9.1% increase on the previous year. The finance industry has the highest cost per compromised data record (301 euros), followed by service companies (230 euros) and industrial companies (229 euros)  Cyber attacks by third parties are the most common cause of data breaches: Over half of data breaches in Germany (56 percent) were motivated by malicious or criminal intent.

However, other causes such as human or technical errors are neither unknown nor without consequence. Technical errors are responsible for a quarter of all data breaches, costing 140 euros per data record. 19 percent of data breaches are down to human error, costing 148 euro per data record. This means that 45 percent of all incidents were caused by issues that can be resolved easily. Many of the root causes of these incidents could be raised by awareness training that matches specific business needs, target groups and threat vectors. Configuration errors which inadvertently allow access to sensitive data are also included in this category. According to estimations by IBM, incorrectly configured cloud servers put 990 million data records at risk in 2018 alone. Lapses such as this have resulted in the exposure of  millions of patient records as well as more than one million fingerprints on the Internet. If companies finally took the opportunity to revise their processes and implement the most basic technical measures required for a practical governance policy, this would achieve a great deal at relatively low costs. Companies can also take other measures to reduce the cost impact of a data breach, including the speed and efficiency of their response, establishing an incident response team and encrypting data as recommended in the Ponemon report. According to the report, establishing an incident response team could reduce costs at 13,90 euros and encryption could save 12,70 euros per compromised data record.