Security Costs - Part II

Last week I talked about contributing cost factors to Security through the physical costs - the hardware / software / the engineering resources.  This week is a different sort of cost, the cost of doing not enough.  The cost of a breach.

You've been breached, what now?

  • Lost Revenue - If your users aren't able to use their computers to work - then they aren't able to make your organization money.  Straightforward logic there.
  • Forensic Investigation - You're going to be paying for someone to run a forensic investigation, outside of your organization.  This is going to be costly - it is going to cost for the investigation, the resources, the time, the tools - etc.  It will be equivalent to an audit, except due to the timing and everything else increased costs.
  • Postmortem - After the Forensic Investigation, you're going to be working with your team to verify what went wrong and how to resolve it for the future.
  • Notification Costs - It costs money to notify all your customers of the breach.
  • Legal Liability Costs - There could be a cost in liability per data record exposed.  This could add up quickly depending the size and scope of the breach.
  • Civil Liability Costs - After the breach penalties from legislation, there may be additional fees from legal suits brought upon your organization.
  • Credit Monitoring Services - Your organization may be required to provide a service to all of your customers at your expense after the breach.  A service like this may cost per record, or for a lump sum, but it s an additional cost.
  • Lost Business - A huge factor in the cost of the breach is customer churn.

All of this adds up pretty quickly.  The average cost of a breach in 2020 was $3.86 Million according to IBM.  The average cost per record lost / breached is approximately $150.  Even if your business is on the smaller side, this could add up to a large number rapidly.

The cost of the breach above, doesn't include the other important factor - the cost to change your security architecture in order to prevent future breaches.  Here are some questions to consider:

 

Do you have an effective strategy to handle the mistakes that your security plan had in the past?

Do you have 24/7/365 coverage to depend on for after hours security issues?

Do you have a security approval step to new applications / technologies?

 

 

Finally, some considerations to realize when you consider all the above costs...

As much as 60% of businesses with less than 500 employees go out of business within 6 months of a major security breach.