Last week I talked about contributing cost factors to Security through the physical costs - the hardware / software / the engineering resources. This week is a different sort of cost, the cost of doing not enough. The cost of a breach.
You've been breached, what now?
- Lost Revenue - If your users aren't able to use their computers to work - then they aren't able to make your organization money. Straightforward logic there.
- Forensic Investigation - You're going to be paying for someone to run a forensic investigation, outside of your organization. This is going to be costly - it is going to cost for the investigation, the resources, the time, the tools - etc. It will be equivalent to an audit, except due to the timing and everything else increased costs.
- Postmortem - After the Forensic Investigation, you're going to be working with your team to verify what went wrong and how to resolve it for the future.
- Notification Costs - It costs money to notify all your customers of the breach.
- Legal Liability Costs - There could be a cost in liability per data record exposed. This could add up quickly depending the size and scope of the breach.
- Civil Liability Costs - After the breach penalties from legislation, there may be additional fees from legal suits brought upon your organization.
- Credit Monitoring Services - Your organization may be required to provide a service to all of your customers at your expense after the breach. A service like this may cost per record, or for a lump sum, but it s an additional cost.
- Lost Business - A huge factor in the cost of the breach is customer churn.
All of this adds up pretty quickly. The average cost of a breach in 2020 was $3.86 Million according to IBM. The average cost per record lost / breached is approximately $150. Even if your business is on the smaller side, this could add up to a large number rapidly.
The cost of the breach above, doesn't include the other important factor - the cost to change your security architecture in order to prevent future breaches. Here are some questions to consider:
Do you have an effective strategy to handle the mistakes that your security plan had in the past?
Do you have 24/7/365 coverage to depend on for after hours security issues?
Do you have a security approval step to new applications / technologies?
Finally, some considerations to realize when you consider all the above costs...
As much as 60% of businesses with less than 500 employees go out of business within 6 months of a major security breach.