Data Breach Crisis Management: The Costs Are Rising

Erik Bernstein crisis management, data breach 3 Comments

Average breach now costs $4 million

Data breaches are more than just a reputation threat, they’re expensive. And that expense is rising. According to new research from IBM’s security division, the cost of a data breach has risen 29% since 2013, and now comes in at a staggering $4 million per incident. Consider that the major hurdle to properly preparing for a breach is quoted as financing more often than not, and then consider that every single lost record costs an average of $158. See the disconnect?

IBM gives the likelihood of a data breach involving 10,000 lost or stolen records in the next 24 months at 26%, and the chances of many smaller breaches appearing in that time may as well be 100%. The bad news is that, no matter how strong your security, you can’t prevent every breach. The good news is that there are a few things you can do immediately to mitigate the damage you take. According to IBM, creating an incident response team drop the cost per record by $16 each, the biggest savings of any defensive measure. We also have items like use of encryption ($13 saved per record), training employees on proper procedure ($9), threat sharing ($9), and appointing a chief information security officer ($7) that can all reduce your cost for each record lost or stolen in a hack.

Early detection and rapid action following up is perhaps the biggest cost saver, with containment within the first month reducing spend by nearly a million dollars on average compared to those who learn and react further down the road.

We are in the age of the data breach, and while there’s not much you can do to prevent them entirely there’s a whole lot you can do to reduce the impact to your organization and its stakeholders. And, as with many other types of crisis management, your efforts will be significantly more effective if they’re launched before an ugly situation actually appears. Prepare for the worst and hope for the best, the statement’s cliche for a reason.


Comments 3

  1. Phil COX

    The (rogue) elephant in the corner may be the throwing up of hands of senior management in the face of the seeming inevitability of being hacked. Worse yet would be an attitude of, “It can’t happen to us.”

    This sounds quite akin to the centuries-long history of senior college faculty attitudes on the intractability of date rape, that, “Boys will be boys.”

    Another elephant (this one possibly to be tamed) might be a lingering attitude of priesthood on the part of IT folk.

    1. Post
      Erik Bernstein

      Good points Phil. If the folks calling the shots aren’t willing to acknowledge the risks, and what they can do to mitigate or prevent damage, then they’re in for a bad time down the road.

      I would go so far as to say that attitude of priesthood, as you say, is dangerous for anyone within an org. If every critical role isn’t being double-checked then it’s creating more room for trouble to quietly creep in.

Leave a Reply