The Non-Refundable Fundamentals: Estimating the Cost of a Data Breach

Written by

Quantifying the financial impact of a data breach before it occurs is like assuming you can win roulette using insider trading. How is that? The average cost of a breach per record stolen today is roughly $221, according to research released earlier this year by the Ponemon Institute. Of that figure, one-third is a predictable direct measurement. When estimating the monetary ramifications of a data breach, calculating the direct costs for resolution matters – such as technical services and notifications – is easier than predicting indirect expenditures such as customer retention and employee loss.

Those obscure indirect costs adversely impact business reputation and productivity. In order to estimate the potential cost of a data breach, taking a programmatic approach to determine both the predictable and unpredictable costs can reduce the unexpected impact of an incident.

Elements of the Issue: What Affects the Cost?
Most elements of what affects the total cost of a breach can be broken down into key identifiers, including the indirect costs that have these arbitrary price tags. The identifiers can be distinguished by:
•    Cause of the attack
•    Type of industry or sector
•    Total records lost
•    Current notification costs
•    Service costs, such as legal, communications, technical (forensics), credit monitoring and assessments
•    Insurance protection

Indirect costs vary based on the development of business strategies that address unpredictable areas such as reputational damage. This means you cannot determine the exact cost if you cannot predict the public reaction and any investments made to remediate that reaction. You can attempt to estimate the total cost of a data breach with the direct identifiers in conjunction with the indirect identifiers based on the proactive activities taken to reduce exposure.

Elements of the Solution: How to Predict the Cost
How do we accurately dissect the other two thirds of the price of a breached record? Estimating the cost of a data breach customized to your sector is simple. However, to truly understand your total estimation you also must recognize your proactive investments. The actual implementation of those proactive solutions can reduce the overall likelihood and/or impact of a breach. An incident management program allows you to bundle these efforts into a repeatable process, giving you continuous observation on your potential loss.

The elements of an economic solution that can mitigate unforeseen expenses of a breach cover the technical and operational identifiers of the following:
•    An incident response team and incident management program in place
•    Employee training that includes executive-level personnel
•    Use of technologies for data loss prevention, widespread encryption and data classification
•    Escalation processes for investigative, forensic and auditing purposes
•    Activities that preserve brand and control business reputation, such as advanced media planning, which allows an organization to control its storyline by communicating these overall preventative techniques

The Path Forward
The direct and known costs of data breaches shouldn’t be the sole determinant for quantifying your risk. Applying this pragmatic mindset in order to measure those unknown costs goes beyond just the estimation itself and allows power and control over an incident to be something that is measurable.

Using the above solution elements within your process, you can not only benchmark your hypothetical loss from a breach, but you can begin to influence the impact.

What’s hot on Infosecurity Magazine?