Putting a Price Tag on Security Incidents and Examining the Cost of a Data Breach

Organizations that have been the victim of cyberattacks and data breaches are not exactly forthcoming and eager to share the news to the public sphere. Loss of shareholder and customer trust, disruption of operations, and loss of business and long-term market share are just some of the top concerns for businesses affected by a data breach. Security vendors are making light of these cyber-attacks as part of their standard marketing operations and an increasing number of them might even result in blatant fear tactics to advertise their services.

There are, however, two key metrics that are used to influence Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs): loss of business and operational disruption in the aftermath of a data breach. These two metrics can be quite effective, particularly when there is concrete evidence from past breaches and security incidents that can been recorded and examined by security service providers, emergency response and cyber insurance providers, industry, and standardization organizations. Additionally, one could make the case that having a better grasp of the ramifications of a cyber-incident on both day-to-day operations and future strategy should be part of CSO’s duties.

So, would putting a price tag on security incidents actually help kickstart security investments? If not, how big of a hit is a data breach for a company’s bottom line needed to be taken seriously? And what would the average cost of a data breach look like when considering the greater IoT ecosystem?

When it comes to a data breach, most organizations focus their attention on two key areas: first, the point of actual detection (or the point where an attacker is revealed, i.e., through a ransomware demand), and second, the post-breach event and damage control procedure. However, if the full spectrum is to be examined properly by cyber-forensic processes, the roadmap should also include additional stages that vary according to each incident. These can include pre-incident events that: a) might appear minor and non-correlated; b) penetration testing attacks used to “test” the security response from the point of the defender; c) risk assessment of insider threats from individuals having high-tier access to network resources; d) risk assessment of Advanced Persistent Threats (APTs) that might lie dormant and undetected in victims’ network; and e) risk assessment of security threats that can be disguised as regular processes, such as those that try to siphon information surreptitiously or perform cryptojacking, among many others—and this is only the start of this complex endeavor.

Analyzing the cost of a data breach is a challenging task that relies upon a plethora of multi-faceted assets, the damage to which might seem impossible to measure correctly or even accurately estimate. Research interviews with Internet of Things (IoT) and security vendors revealed that the actual cost of a data breach can vary greatly, on average between US$2 million to US$10 million, and will depend upon company size, personnel, number and type of endpoints, database and server capacity, compute power, and on-premises or cloud operations, among many other variables.

In November 2021, IBM in collaboration with the Ponemon Institute released the Cost of a Data Breach Report for 2021, one of the most valuable sources of data regarding cybersecurity breach incidents for the last seventeen years. According to the latest report, the average cost of a data breach in 2021 was estimated at approximately US$4.24 million, marking an increase of 12% since 2015. Healthcare, financial services, pharmaceuticals, technology, and energy dominate the top spots between US$4.7 million and US$9 million average cost of a data breach while retail, media, hospitality, and the public sector are at the bottom of the list with average cost ranging between US$1.93 million to US$3.27million.

In 2021, the most common data that is lost or stolen during breaches was PII (personally identifiable information) which, on average, carried a cost of around US$180 per compromised data record. The most crucial attack vector is compromised credentials which accounted for approximately one-fifth of all data breaches. Top concern for victims of a data breach appears to be loss of market share in the aftermath of the attack, which includes rapid increase of customer turnover, business loss during network failure and system downtime, and difficulty in acquiring new business.

It should come to no surprise that over the past year multiple interviews and discussions with leading companies across different IoT segments revealed that while investing in digital security “should” be pushed higher in the implementation list, it can also appear to be disruptive when it comes to budget prioritization and increase internal misalignment regarding key strategic areas. Interestingly, the same companies also mentioned that operational disruption is also a major threat in the aftermath of a data breach since reliability of internal systems will be limited and coordination with partners will plummet, thus greatly affecting damage control operations.

This effect will be magnified in the absence of a proper data disaster recovery plan needed to replicate databases, refuel servers, and kickstart critical systems operations. Further, for many organizations the average cost of a data breach is seen as an arbitrary figure, and this uncertainty only exacerbates once crossed into the threshold to the IoT domain and adding to the mix the many additional segments in this broad ecosystem, from industrial, energy, and transportation to many other critical infrastructure applications.

There is a host of caveats to consider when undertaking a cost-benefit analysis for cybersecurity investments based on past cyber-attack trends. However, it should be quite useful for security vendors to further examine past cyber-incidents and ascertain the monetary cost on organizations—even in the form of an average function or a cost range. This will allow them to put a price tag when marketing their services based on their customers’ connected assets, security surface, types of operations, and digital infrastructure, rather than a marketing pitch showcasing the positive aspects of a new security service or using FUD (Fear, Uncertainty, and Doubt) tactics. If there is one thing that industrial and IoT-focused enterprises appreciate during security negotiations, it is a clear-cut perspective on business loss and operational disruption based on facts gathered from past incidents and rising application-specific threat vectors. In turn, this will create new revenue streams and value-added options, but most importantly cement cybersecurity investment not as a stand-alone service, but rather as a fundamental investment towards system reliability, operational support, and transparency between an ever-increasing number of third-party collaborations..