Cost of a Data Breach vs. Security

You can’t spend your way into a strong security posture. Being secure involves integrating tools, policies, people, and budgets. Getting secure will absolutely require some expenditure of cash. How much is the right amount? The answer depends on each organization’s unique security needs. In general, though, the best practice is to assess the potential financial impact of an incident (data breach cost) and weigh it against the cost of staying secure through breach prevention. Figuring this out can be a bit challenging, but it can be done.

What is the right amount to spend on security solutions? It all depends on your organization’s unique needs.

The Numbers: Data Breach Cost

What does a data breach cost? One benchmark data point, taken from the widely-read and respected Ponemon Institute “2017 Cost of Data Breach Study” puts the average total cost of a data breach at $3.62 million. This number is actually down 10% from the previous year. The same report states that a lost or stolen data record will cost a company $141.

Comparing Ponemon with other studies, however, makes one question the validity of all the numbers. Different research reports offer a variety of measures of cyber security costs and expenditures, but the divergence between competing breach cost estimates is surprisingly large.

With the Ponemon breach cost number, the Fortune 500, which represents two-thirds of the US GDP, would suffer data breach costs of about $1.8 billion per year. In contrast, the CEO of Lloyds insurance claimed that cybercrime would cost global businesses up to $400 billion a year. (This would translate into about $42 billion in losses for the Fortune 500.) Juniper Research projected $2 trillion in cybercrime losses by 2019 and Satya Nadella CEO of Microsoft believed that cybercrime had destroyed $3 trillion of market value in a single year.

What are the true costs of data breaches? It’s probable that the numbers at both ends of this range are wrong. Beyond that, we’re all basically lost. A problem that costs somewhere between $1.8 and $42 billion a year is obviously a problem whose actual cost is not known.

Various statistics place the cost of a data breach between $1.8 and $42 billion dollars per year – that’s quite a wide range.

Breaking Down the Cost of a Data Breach

Estimating the cost of a data breach involves more than just adding up the direct costs of remediating the breach and paying damages to affected parties. These are substantial costs, of course, but one should also consider the following costs:

  • Loss of reputation and its impact on revenue and employee morale
  • Distraction from regular money-making business activities
  • Loss of customers due to a breach of trust
  • IT department resource utilization

The Cost of Security Solutions

American businesses are on track to spend about $66 billion per year on cyber security this year. Gartner forecasts that the overall cyber security market will grow at a 7.8% compound annual growth rate through 2019. This would put security spending at less than 5% of worldwide IT spending.

Security spending as a percent of IT spend varies by industry. Fourteen percent of businesses spend between 3-4% of their IT budget on security. Another 21% spend 5-6% and 14% spend over 10% of their IT budget on security.

What does this mean for the average large company? Given that businesses typically spend 3.62% of revenue on IT, according to Deloitte, a $1 billion company will have an IT budget of $36.2 million and security spending of around $1.8 million. (It’s slightly confusing because IT as a percent of revenue is the same number as the cost of a data breach. This is just a strange coincidence.) At this ratio, a big company with, say, the revenue of $50 billion, would spend about $90 million annually on security.

What the Numbers Don’t Tell You

How can you explain a business spending $90 million to avoid a $3.6 million expense? Even if a $50 billion company had 10 major breaches a year, they’re still apparently overspending on security. In reality, most Fortune 500 companies could weather a $3.6 million problem without even noticing. Something else is going on, clearly. Either the true data breach cost is much, much higher than $3.6 million or companies are being irrational.

How to Make an Accurate Guess at the Cost of a Data Breach

Assuming that Fortune 500 companies are not run irrationally, then what is happening here? One answer is that the Ponemon number is helpful but essentially useless for pegging the cost of data breach risks. One alternative approach is to use decision theory to estimate the cost of a data breach. With this method, you derive a potential value of a business outcome based on its probability.

Incident Probability Cost (millions) Predicted Value (millions)
Average breach 27% $3.6 $0.972
Big breach 1% $1,000 $10

Ponemon puts the likelihood of an average breach at 27% per year. Decision theory says that a 27% probability of a $3.6 million event has a predicted value of $972,000. On the other hand, a big breach, the kind of monster/nightmare scenario we see with companies like Equifax, might have a cost of a billion dollars. At a 1% probability, such an incident has a predicted value of $10 million.

These are coarse numbers, but they give you a sense of the true range of data breach costs. The discrepancy between the seemingly low Ponemon breach costs and the much higher estimates from others probably reflects this kind of probability-based calculus.

What it Costs to Stay Secure

Returning to the original question: Given the cost of a breach, how much is the right amount to spend on security? The decision theory model offers a way to look at the issue. You can spend to a level where you mitigate the risk of the predicted value of the loss. However, do you really want to be the one who lets the billion-dollar attack get through the firewall?

A sensible security budget will be high enough to make the security team confident it can defend itself against the worst threats and most damaging breaches. There’s no magic formula, unfortunately, but one thing is certain—smart spending is best. Spending in the right places is almost always worth it. For example, spending on recruiting and retaining the best SecOps people is an enduring investment in security.

The truth: It’s a complicated answer.

Organizations should have at least a high enough security budget that their SecOps team can defend itself.

Another aspect of the security budgeting dilemma is how much to allocate to breach prevention and detection versus breach response. Some hold that breaches are inevitable, so you always want to be well-equipped to deal with an incident. That is true, but in general, it’s better if you can avoid the breach in the first place.

The WALLIX approach is to offer a solution that aids in breach prevention, detection, and response all at once with a Privileged Access Management (PAM) solution. This enables you to protect privileged accounts, whose users can access administrative back-ends and modify system settings, and potentially view confidential data.

PAM represents a high-value investment in security, one that balances the cost of a breach with the cost of defense

PAM is a fundamental security countermeasure on its own, but it also enables many other controls to function effectively. For example, a patch management policy, which is essential to breach prevention, will work best if admins know who has performed the patch, when and how, etc. For these reasons, PAM represents a high-value investment in security, one that balances the cost of a breach with the cost of defense.

To learn more about WALLIX PAM solutions, get in touch.