Finding How Much Security Breaches Hurt Your Bottom Line

How much would a data security breach cost your company? The answer is difficult to predict, and almost as difficult to determine after the fact because of the soft-number impact arising from damage to reputation, stock value and product sales. And the problem of data loss is on the rise, hitting high-profile corporations with alarming frequency and making headlines on a regular basis. Major U.S. defense contractor Lockheed Martin is just the latest big name in a string of malicious cyberattacks. Their breach is rumored to be linked to their use of RSA’s SecurID, a two-part authentication system provider that was infiltrated in March 2011.

Lockheed Martin is a salient example of the increasing overlaps between firms and the inherent risks involved with such close technological relationships. When one company employs technologies owned by others (often many) just to perform daily operations, security risks appear in countless areas, and are impossible to control outside the boundaries of each firm’s distinct system. Despite this built-in risk, it is the case with virtually every business today. In fact, because of the use of de rigueur innovations like externally controlled record management systems, and the current advent of cloud computing on the horizon, the lines between one firm’s system and another are getting fuzzier. One company’s security problem easily becomes another’s in short order, so adopting strong security measures in-house is becoming more crucial all the time. But many companies are lagging in integrating effective security structures into their systems and practices, or even to finding up-to-date information about them, so there is no end in sight to the recent rash of attacks on data security.

Yet, the results are serious and the costs very steep. Detection, investigation, containment, and the many aspects of recovery and changes in operation after the attack all add up to a heavy expense burden for each victim organization. Add to that the effects on public relations and stock market value, and the long-range cost of a data security breach is virtually impossible to determine, even in approximate dollar amounts.

No one can budget for a breach. But being able to make a useful estimate may make or break a corporation’s future. A recent Forrester survey found that 25% of respondents did not know the cost of data security breaches, or did not know how to calculate it. According to Forrester Senior Analyst Khalid Kark, however, most firms would be forced to absorb a variety of costs, some high enough to put them out of business. So even if the precise dollar amount cannot be planned for, a critical element of business planning involves determining an approximate cost of data loss.

As a starting point, consider the costliest kind of attacks. Numbers taken from the Ponemon Institute show that the attacks carrying the highest price tag come from malicious insiders, malicious code and web-based attacks. These also comprise 90 percent of all cybercrime in a given year. Consider also the different areas of work involved on the victim’s side of a cybercrime. Legal fees, call center costs, marketing and PR, notification costs and discounted product offers, lost employee productivity and contractor pay all comprise expenses a company can expect to incur in the case of a single data breach. Some of these risks and their attendant costs can be avoided through end-of-life plans including hard drive shredding. Companies such as RenovoData Services in Eden Prairie, Minn., provide this service for a fee. It may be an additional expense, but the costs of keeping intact drives for malicious insiders to find and exploit is far higher.

Is there a way to calculate an estimated cost?

A helpful estimate can be determined with the right tools. In 2007, Darwin Professional Underwriters, Inc. created the Tech//404© Data Loss Cost Calculator to determine the approximate total expense associated with most data breaches. Its proprietary algorithm calculates potential costs across three categories: internal investigation, customer notification/crisis management and regulatory/compliance expenses. Through inputting the number of records lost, a business can get instant estimated numbers appropriate to the scope of an actual breach or a hypothetical one. It will not include soft-number costs related to potential lawsuits or those arising from changes in reputation or stock price.

What it will do for your business is offer a way to arrange your thinking about the realistic cost of data security breach and offer a worst-case scenario in terms of dollar amount. What it cannot do is offer protection against future cyberattacks. In this increasingly technological world, the best protection is vigilance in security, sound system integration and self-education about the best, most current security methods. In other words, human vigilance and ingenuity.