Data breaches cost more than ever, and the fallout lasts even longer than previously thought, IBM has revealed in a new study.
Colorado Springs cybersecurity expert Terry Bradley knows this firsthand.
“My company, PLEX, worked a ransomware data breach case starting back in February of this year,” he said, “and we will probably be there till February of next year. There’s not only the working of the actual incident — finding out what the scope is, containing it, eradicating the bad guys from the network — but then there’s the process of restoring services and recovering from it, which usually entails adding a lot of capabilities that weren’t there to begin with.”
IBM’s 2019 Cost of a Data Breach Study shows breach costs are on the rise, and U.S. companies are hardest hit financially.
For firms in the United States, the average cost of a data breach has risen almost 39 percent over the past five years to $8.19 million — more than double the global average. Worldwide, the average cost of a breach is $3.92 million.
In almost every data breach, Bradley said, the cost of remedying the breach far exceeds what it would have cost to put cyber protections in place.
“The incident response consulting time is very expensive,” he said. “It’s very hard to get these resources; there are very few people who are good at doing incident response and containing these types of breaches — and so they charge premium rates.
“This is the cyber equivalent of needing a thoracic surgeon in the emergency room. You’ve been rolled in, you’re dying, there’s no negotiating on price. You want the best, and you want them now, and that comes with a premium. So $300, $500, $800 an hour, these are not labor rates that are outside the pale of orthodoxy. It’s just very, very expensive to do the incident response work.”
The Business Journal talked with Bradley, chief technology officer at PLEX Solutions LLC, as well as Pikes Peak SBDC cybersecurity consultants and Corvus Technologies LLC co-founders Coryn and Eric Mann, for local insights on the major findings of the IBM study.
Breach costs are rising because of the “long tail” of an attack — the years-long financial impact after a cyber incident.
“Companies have to deal with financial repercussions that take a toll,” Coryn said. “There are a range of costs associated with a data breach, such as paying off fines, repaying affected customers, share values plummet and paying for better insurance protection to ensure a breach doesn’t happen again.”
A breached company also has to ensure compliance with regulatory agencies, Eric explained, “which is a full process in itself.
“When customer data is breached, you also have to pay for credit monitoring and identity protection services for your customer,” he added. “Also, in order to remediate the issues, the affected company will have to invest in the security that they should have already invested in, by identifying how the breach happened and discovering the root cause. Once that has been accomplished, then the company will need to implement processes and procedures. All this accounts for the ‘long tail’ and why it drags out so long.”
Lost business is the biggest factor in data breach costs.
“Companies have to deal with reputational damage … which can range from loss of customer trust to loss of the customer,” Coryn said.
And the type of data matters.
“If confidential data has been compromised — to include personal and financial details of customers or employees — those people are susceptible to identity theft,” she added. “Customers lose confidence in the companies’ brand and don’t feel that their data is secure, which causes a major impact to your business.”
Small businesses face disproportionately greater breach costs, which hampers their ability to recover financially.
“I think small businesses get disproportionately impacted because, in my experience, when I’m talking to small businesses about doing proactive security measures, they have no budget for that,” Bradley said.
“There’s no line item in their budget to do security assessments, to do vulnerability scanning, to write security policies. The IT department is expected to do all that: ‘Keep everything up and running, enable the organization to do what it is they do — and oh also, do it all securely.’
“Typically, there’s no separate budget for security. So when the data breach happens, where does this money come from? It’s going to come out of profit; it’s going to come out of places that were never intended to fund it. And so that financial impact can hit small to medium-sized organizations really hard.”
Companies with an incident response team and tested incident response plan save an average of $1 million-plus in the event of a data breach.
“We always recommend to our customers that they have an incident response plan developed and approved and in place,” Bradley said.
“The very next thing we recommend is that you practice it from time to time, gather the team together, work through even a basic scenario and identify gaps and problems with the plan. Sometimes these plans are created in an ivory tower, or from an academic perspective — and then when you get the actual people in the room, you find out, ‘Well, that’s not exactly how it works’ or, ‘These aren’t the right people who need to be there.’
“Practicing that plan is going to save a lot of time — because when the real security incident kicks off, you don’t want the deer-in-the-headlights look from your executives, like ‘I have no idea what you’re talking about.’”
Trying to figure everything out on the fly while mitigating a data breach costs “exponentially more than utilizing a proven and tested process,” Eric said. “American businesses need to adopt the U.S. government’s philosophy concerning data breaches: It is not a matter of if, but when.”
Note: In this story, the phrase “practice security measures” has been corrected to “proactive security measures.”