Data breaches: It’s a $4 million per incident problem now

I’ve discussed the cybersecurity threats facing the U.S. business community more than a few times in this space – go here and here for just two examples – as well as the direct threat hacking poses to trucking companies, as this story aptly describes.

Now an annual global study sponsored by IBM Security compiled by the Ponemon Institute has determined that the monetary impact from such events is rising considerably, with the average cost of a data breach increasing 29% to $4 million since 2013.

The study also indicated that cybersecurity “incidents” continue to grow in both volume and sophistication, with 64% more security incidents reported in 2015 versus 2014.

And as cybersecurity threats become more complex, the monetary harm they inflict continues to increase as well, the IBM/Ponemon study finding that companies now lose $158 per compromised record.

In fact, response activities such as incident forensics, communications, legal expenditures and regulatory mandates account for 59% of the cost of a data breach, with the process of responding to a breach becoming much more complex and time consuming if not properly planned for.

The study also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in less than 100 days cost companies an average of $3.23 million, breaches that were found after the 100 day mark cost over $1 million more on average – or some $4.38 million.

The study also found that the average time it takes to identify a breach is about 201 days, with the average time needed to contain a breach at around 70 days.

Yet improving one’s cybersecurity defenses is no easy task, as a recent report Deloitte Advisory dubbed Beneath the surface of a cyberattack: A deeper look at business impacts determined.

Deloitte's study reveals that:

• The direct costs commonly associated with data breaches – customer notification, litigation costs, and regulatory fines – are far less significant than the "hidden" costs such as increased insurance premiums, operational disruption, and loss of intellectual property.
• In Deloitte's scenarios, those “direct costs” account for less than 5% of the total business impact.
• The time horizon over which impact is felt is far more protracted than is often anticipated. In Deloitte's scenarios, costs incurred during the initial triage stage of incident response account for less than 10% of the rippling impacts extending over a five-year period.
• Over 90% of cyberattack impact is likely to accrue in categories that are intangible. Given that these are less studied and more difficult to quantify, organizations can be caught especially unprepared for these "costs" in areas such as operational disruption, impact to trade name and loss of intellectual property.

"The ability to quantify intangible damages is especially important in anticipating business impact. In many cases, an approach based on tallying actual recovery costs that hit the balance sheet would paint a significantly distorted picture of the cost to business performance," noted Hector Calzada, a managing director with Deloitte Advicory’s business valuation services.

"Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization," added Don Fancher, one of the firm’s principals and global leader for Deloitte forensic.

"Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think,” he pointed out. “It's to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies."

That’s good advice for trucking executives, too, as they increasingly must navigate far more digitized pathways in the freight world.