How much will a data breach cost you?

In today's digital age, data is the lifeblood of businesses. However, the vulnerabilities inherent in our interconnected world have made data breaches a pervasive threat. 2023 saw a record high of 3,205 publicly reported data compromises that impacted an estimated 353,027,892 individuals. While the financial toll of these incidents is often staggering, the actual cost extends far beyond monetary losses.

Data breaches leave a devastating trail in their wake, from the immediate financial burdens of detection, response, and regulatory penalties to the long-term erosion of trust and reputational damage. As we navigate an increasingly complex digital threat landscape, understanding the true cost of these attacks is essential for organisations seeking to build resilience and protect their most valuable assets.

RSM Technology Leaders, Rami Wadie and Haresh Ahuja, delve into the multifaceted impact of data breaches, examining both the direct financial consequences and the often-overlooked non-financial repercussions.

Factors that affect the cost of a data breach

There is, of course, no such thing as a good data breach. Even a minor breach can have shocking financial and non-financial costs. With this in mind, there are several factors that can influence the cost that a data breach in your organisation will incur.

Internal protocols

The cost of a data breach is heavily influenced by internals factors such as the organisational awareness of threats, how threats are assessed, and access management. The first port of call for any organisation that takes cybersecurity seriously is awareness. A stronger awareness of cyber-threat landscape allows organisations to be better equipped to enforce security measures and maintain compliance, reducing the likelihood of breaches.

A proper assessment of data vulnerabilities is also critical; identifying weaknesses and ensuring robust access controls can safeguard sensitive information. A failure to conduct thorough assessments leaves gaps that bad actors can exploit.

Additionally, many breaches are caused by insider attacks, often stemming from weak identity and access management (IAM). Ensuring that only authorised individuals have access to systems through strong IAM practices—such as prompt access provisioning and de-provisioning—significantly mitigates risks. Without adequate awareness, rigorous assessments, and secure access management, organisations face higher breach costs and far-reaching consequences.

Regulatory environment

Outside of the direct costs that bad actors may impose on a business they attack, the organisation may find itself slapped with additional penalties in regions with stricter data protection laws. For example, the General Data Protection Act (GDPR), put into effect in 2018, has levied some severe penalties against organisations that have breached its data protection rules. For example, in 2023, Facebook/Instagram owner Meta was issued a staggering fine of €1.2bn after mishandling data transfers.

Industry sector

Costs can also be dependent on the industry of the organisation that is being attacked. The healthcare sector, for example, sees a significantly higher average loss per cyber-attack than any other sector – an average cost of $10.93 million per breach, almost double that of the financial sector.

Breaking down sectors by cost, industries handling the most sensitive data, such as healthcare and finance, typically face higher breach costs. With more sensitive data to breach, bad actors can better leverage themselves using ransomware, forcing their victims to pay with threats of releasing the data to the public – potentially causing far more damage beyond just financials.

Time to detect and contain 

Of course, during an attack, faster response times can limit the amount of data that is compromised, significantly reducing the cost of a breach. With less data lost, there is less potential damage to third parties and reputational damage. The less that data is compromised means that there is less for the attackers to ransom. However, a report from IBM X-Force has indicated that enterprise ransomware incidents have dropped by 11.5%, whilst data theft and leak incidents have risen by 32%. All the same, less data for bad actors means less to sell, impacting their bottom line and potentially dissuading them. Implementing a continuous monitoring system will help detect and contain threats earlier, allowing organisations to exercise better controls by deploying threat intelligence tools.

So, what could a data breach cost you?

Looking purely at the financials, the global average cost of a data breach is $4.88 million – a 10% increase from last year and the highest total ever recorded, according to IBM’s Cost of a Data Breach Report 2024.

If we look at the geographical breakdown of breach costs, a previous 2023 report that took a look at 553 organisations across 16 countries/regions and 17 industries, found that the top five countries/regions that a data breach cost the most were:

1. United States: $9.48 (up 0.4% from 2022)
2. Middle East: $8.07 (up 8.2% from 2022)
3. Canada: $5.13 (down 9% from 2022)
4. Germany: $4.67 (down 3.7% from 2022)
5. Japan: $4.52 (down 1.1% from 2022)

The different factors that make up the total costs of breaches are hard to quantify precisely, but much of it falls on the various areas that make up a data breach's cost, as discussed in the previous section.

The non-financial costs of a data breach

Beyond the financial costs, a data breach could have several other potentially severe ramifications that businesses should consider.

1. Reputational damage: Data breaches can severely damage trust and confidence in an organisation. This has the potential of losing the benefits of customer loyalty and potentially the loss of business. A study found that the largest breaches in companies are associated with a 5-9% decline in reputational intangible capital.
2. Operational disruption: Breaches can seriously disrupt normal business operations. In 2023, it took an average of 204 days to identify a breach and 73 days to contain it. This period of detecting and containing can require a significant amount of resources and lead to disruptive downtime during which normal operations are halted.
3. Legal and regulatory costs: As mentioned previously, data breaches can incur some seriously hefty fines and penalties from cyber security regulations. This is in addition to any lawsuits that businesses may have to face from any fallout resulting from a breach.
4. Employee morale: Data breaches can impact employee morale, especially if personal employee data is compromised. This can lead to employee walkouts from losing confidence in their organisation’s ability to protect their data. According to a poll, 64% of people surveyed agreed with the statement: “I have opted to not work with a business because of concerns around whether they would keep my data secure”.

How to minimise the risks of a data breach

Having discussed how serious a data breach can be, all is not doom and gloom. With the appropriate security measures and robust cyber security policy and planning, organisations can mitigate the chances of a data breach and minimise the costs if there is one. It is crucial for organisations to invest in their cyber security capabilities. This includes:

• Creating and implementing a strong governance structure with clarity on reporting responsibilities.
• Raising the discussion of the topic to the boardroom.
• Enforcing data governance measures.
• Improving security culture across organisations.
• Implementing strong data protection measures, such as data encryption.
• Conducting regular security assessments.
• Developing comprehensive incident response plans and conducting scenario simulations.
• Providing employee cybersecurity training and conducting regular cyber awareness sessions to improve your organisation’s cyber hygiene.
• Ensuring that the systems are updated with critical patches
• If appropriate, engaging relevant agencies to monitor the dark web for any chatter about your organisation.
• Conducting disaster recovery/business continuity planning drills to ensure operations continue after an unexpected disruption.
• Ensuring strong security measures in third party applications with the respective vendors.
• Maintaining cyber insurance coverage with policies covering data loss, business loss, reputational loss, and third-party incidents.
• Maintaining proper role-based hierarchical access control for applications.
• Implementing zero-day protection tools to safeguard applications and databases.

As the threat landscape continues to evolve, understanding the global cost of data breaches is critical for businesses to prioritise cybersecurity investments and effectively manage risks.