There are costs involved to implement cybersecurity practices, but the return on investment is worthwhile
Few businesses are surprised by cybersecurity regulations like New York’s 23 NYCRR 500. After all, one in four companies in the
The United States has undergone a cyberattack, with the average resulting cost across all organizations hitting 7 figures.
It takes money to make money, so the saying goes. And there are costs involved to implementing cybersecurity practices. Newer and more cybersecurity regulations are going to continue to roll our way that may increase costs – but they’re probably worth it. Here’s why.
By the numbers
The Ponemon Institute’s annual cost of data breach study, which last year was sponsored by IBM Security, compiled information from 419 companies that participated in its annual study. The nonprofit institute is able to offer insight on how cybersecurity practices can help to lower the costs of a breach.
This global study generated extremely valuable insights. A total of 419 companies from 13 countries participated. Their respective data breaches ranged from about 2,600 records up to slightly less than 100,000 records. From this sample, Ponemon determ
- The average cost of the data breach to these companies was $3.62 million
- The average cost per stolen record could be broken down to $141
- This is an average 10% increase from the previous year based on the cost per compromised record
- Based on historical data, there is a 27.7% likelihood of a recurring data breach over the next two years
- This is a 2.1% increase in likelihood
Trends illustrated by the numbers
The Ponemon Institute’s survey shows that certain factors can contribute to or reduce the cost of a data breach. It provided information on 20 factors, ranging from encryption and security analytics to compliance failures and third-party involvement. Here are two examples:
- Participating survey companies that had a fully-functional incident team were able to reduce the average cost per stolen record by $19 – reducing the average $141 per record to $122
- At the other end of the spectrum, if a third-party entity was the cause of the data breach, it added $17 to the cost of each stolen record – increasing the average $141 per record to $158.
These are powerful statistics. They allow you to ascribe an actual cost or savings amount to your customer records. You can use the data to estimate the potential savings if you take a more proactive cybersecurity stance – as well as the cost of continuing to engage in activities that expose you to threat. Here are some examples:
- Extensive use of encryption reduced the cost per record by $16.10
- Company-wide employee training reduced the cost per record by $12.50
- Even involving the company board of directors has an impact – in this case, a reduction of $5.10 per record
- Lost or stolen devices add $7.60 to the per-record loss for these companies
- Incidents during cloud migration add $14.30 to the per-record loss
Ponemon’s sample of companies is sufficiently robust that you can likely find a participating organization that closely matches your own. Studying the cost/savings details can help you see a cause and effect of your future efforts. Some will be enforced, such as the recent enactment of the EU’s GDPR, as well as New York’s 23 NYCRR 500 cybersecurity regulations.
You’ll discover, for example that:
- The cost of a data breach is not incremental based on records lost – Ponemon’s survey showed that the $1.9 million cost of a data breach for a company losing less than 10,000 records skyrockets to $6.3 million when the number of records lost increases only modestly to 50,000.
- The cost of a data breach is significantly less ($2.6 million) if your customer churn rate is less than a single percentage rate, but it nearly doubles ($5.1 million) if your customer churn rate is greater than 4%.
- Your industry plays a role in data breach costs – health and financial companies have higher churn rates than retail or hospitality companies
- There’s a distinct correlation between the total cost of a data breach and the time it takes to identify it – with malicious attacks taking the longest to uncover
Regulatory entities are stepping forward and requiring you to comply with cybersecurity. It can be local, like New York’s DFS requirements – or global in nature like the EU’s GDRP. These organizations have good intentions, and their regulations ultimately will likely save money – even if it seems like they’re costing you now. .