In today's interconnected world, organizations are responsible for their cyber security practices as well as those of their third-party vendors. With increasingly complex risk management scenarios, the impact of a data breach can be catastrophic for an entire supply chain.
According to a study by IBM, 83% of U.S. companies who participated have experienced a data breach more than once, costing them over $9.44 million, more than double the global average of $4.35 million.
And if you think these are all caused by internal vulnerabilities, you'd be wrong. Many of the cyber security breaches in 2022 stemmed from third-party risks, with 51% of organizations reporting a data breach caused by a third party.
The financial impact of a data breach is significant, but it's only the tip of the iceberg. The actual cost of a data breach goes beyond just dollars and cents. Let's examine the ramifications of this cyber attack.
- Understanding the Costs of Cyber Security Breach
- Why the Wide Cost Ranges?
- Why is the Cost of Cyber Attacks Increasing?
- What are the Top Reasons for Third-Party Breaches?
- Best Practices to Prevent Data Breaches
- Who Needs Third-Party Vendor Cyber Security Risk Management?
- The Impact of Ignoring Cyber Security Threats
Understanding the Costs of Cyber Security Breach
The biggest threat that a cyber security breach poses to your business is its financial implications, giving you unforeseen expenses in data, downtime, lost business, lost wages, and even regulatory fines.
Cost of Data
IBM's report revealed that the global cost of a data breach amounts to $4.35 million, putting the per-record cost at $164. Ransomware attacks were among the biggest culprits, increasing in frequency this year by 41% and costing companies an average of $4.54 million.
On the other hand, destructive attacks also increased in frequency and cost, sitting at $5.12 million, roughly $430,000 more than the previous year.
Depending on how long companies take to identify and contain a breach, costs can balloon even more. In 2022, the average time it took for companies to manage data breaches was 9 months (about 277 days), which cost them an additional $1.12 million.
Cost of Downtime
Calculating the cost of a breach doesn’t only entail the cost of the lost data but also its consequences—one of which is downtime.
A data breach can quickly force operations to halt, with all efforts focused on containing the breach and recovering from the attack. During this time, the business will also rack up expenses.
According to the 2022 Data Protection Trends report by Veeam, the average cost of downtime is $88,000 per hour or $1,467 per minute. Depending on the industry the business belongs to, the cost can go higher.
For example, downtime costs around $22,000 per minute in the auto industry, while large industrial manufacturers lose $10,000 to $250,000 per hour due to downtime.
Lost Business
Another consequence of a data breach is reputational damage for the company, which ultimately results in lost business. According to a survey conducted by PCI Pal, consumers are likely to abandon businesses that fail to secure their data.
Specifically, 83% of U.S. consumers said that they would stop spending their money on a business several months after a security breach, while 21% said they would never return to that business. The numbers from Canadian, U.K., and Australian consumers are similar.
As a result, data breaches can cause a business' consumer base to plummet, directly affecting its revenue. A study shows that 29% of organizations lost revenue after a data breach, and, of those victimized, 38% lost over 20% of their regular revenue.
Idle Employees and Lost Wages
All regular tasks are put on the back burner to deal with the cyber security breach. Without a complete resolution, an organization’s employees may be unable to resume their daily activities. That results in significant downtime, with idle employees unequipped to help manage the data security threat.
The only people working at this time would be the I.T. team, but, of course, you will still be obligated to pay the wages of other employees who are not part of the resolution process.
Some cyber attacks can lock up your computers and software, which hinders your employees from doing anything productive (if anything at all).
Regulatory Fines
Companies that experience data breaches are deemed complacent in protecting their consumers' data. Hence, regulators have been imposing stringent and severe fines. In 2021, Amazon was fined $877 million by Luxembourg for a data breach that violated the General Data Protection Regulation (GDPR).
And in 2022, Instagram was fined $403 million by Ireland's Data Protection Commissioner (DPC) for a GDPR violation that involved publicizing phone numbers and email addresses of young users.
In the same year, Meta (Facebook) experienced a data breach that compromised the personal information of 500 million users, which resulted in a fine of $277 million imposed by the Ireland DPC.
Why the Wide Cost Ranges?
It's difficult to provide an exact value of the financial implications of a data breach simply because every business is different. A data loss can be more expensive for one than another because they may have more valuable data, utilize it differently, and have special protection measures or cyber security defenses.
Ultimately, the cost of data loss can be broken down depending on the following factors:
- Organization size
- Amount of data lost
- Value of data lost
- Impact of the breach on business operations
- Recoverability of the data
- Length of downtime
- Speed of recovery/ containment/ incident response
Why is the Cost of Cyber Attacks Increasing?
Cyber security breaches are expected to grow 15% annually in the next five years. And by 2025, these costs are predicted to rack up to a whopping $10.5 trillion annually—a cost higher than the damage inflicted by natural disasters and the global trade of illegal drugs combined.
Statista Cyber Crime Expected to Skyrocket
Cyber attacks are becoming more expensive for companies to experience and deal with. This can be attributed to technological improvements, giving hackers new ways to exploit new tech to carry out their malicious agendas.
One example is ChatGPT, which hackers can use to write malware that they can potentially use to attack company systems.
New technology means more sophisticated attacks; hence more expensive and complex solutions are required to address them. At this point, it's clear that technology is becoming a double-edged sword.
As businesses rely more on technology to facilitate daily operations and transactions with third-party vendors, this ecosystem becomes more vulnerable to cyber threats—all it takes is one breach in their computer systems to halt all operations.
What are the Top Reasons for Third-Party Breaches?
Working with third-party vendors is unavoidable but can pose many risks to a business. Third-party breaches are the most common type of security breach, taking place due to the following:
Unpatched Security Vulnerabilities
I.T. systems require regular updates and security patches to provide optimal protection against cyber attacks. But most of the time, this process is either not conducted or is done incorrectly.
Companies can remedy these by providing strict policies and guidelines for security patching, which should be applied internally and externally, including all third-party vendors and service providers.
Human Error
A study conducted by Stanford University Professor Jeff Hancock revealed that human error accounted for 88% of data breach incidents, whether due to the misuse of personal data or unsuspectingly clicking on a phishing email.
This underscores the importance of solid cyber security awareness training that keeps employees aware of cyber threats and teaches them how to detect suspicious emails and other types of communication.
Malware
Malware can give hackers back-door access to your computer network and data. Hence, your third-party risk management program must consider this threat and outline steps to prevent it.
CISO Recommendations to Prevent Data Breaches
As part of a resilient and robust cyber security defense, businesses must undertake the following best practices to prevent data breaches and protect themselves from cyber attacks.
Back-Up Data
Data loss can lead to harrowing costs for a business. To minimize the impact of a data breach, organizations must ensure that they have all their data backed up for use in case it is lost or destroyed.
Create Strong Passwords
Weak passwords account for 81% of company data breaches. Hence, organizations must make an effort to motivate employees to use strong passwords for corporate accounts and help prevent cases of stolen or compromised credentials.
Conduct Cyber Security Awareness Training
Employees are the first line of defense against a cyber attack. But often, they are also the weakest link. Companies must foster a company culture that is cyber aware, which means investing in cyber security awareness training that keeps employees informed, vigilant, and educated on cyber threats and how to prevent them.
Implement Multifactor Authentication
Multifactor authentication requires multiple forms of identification to log into platforms or accounts. This security strategy can go a long way in preventing data breaches, making it harder for hackers to access a company's network.
Implement Security Measures
Organizations should make it as difficult for attackers to access their company systems, platforms, and data. You can do this through a variety of proven and tested security measures, including, but not limited to:
- Firewalls
- Intrusion detection systems
- Encryption
Install an antivirus software
Cyber attacks don't always happen in an instant. Sometimes, a tiny malware can be hidden away in an I.T. infrastructure, only to wreak havoc later. Having secure and reliable antivirus software can prevent infections like these and identify potential threats before they occur.
Install a firewall
Firewall works by blocking any unauthorized access to a network. As a business owner, it's a good idea to set it up to ensure that only authorized employees and personnel can enter company systems.
Who Needs Third-Party Vendor Cyber Security Risk Management?
Third-party cyber security risk management should be in place for all companies with third-party vendors, suppliers, service providers, financial services, or contractors. In these relationships, personal data, no matter how little, is shared for the third-party vendor's access and use—making it vulnerable to a data breach.
The Impact of Ignoring Cyber Security Threats
In today's day and age, where cyber threats are rampant, it's no longer a matter of "if" your business will be a victim but "when."
Every company can be on the receiving end of a cyber attack that can wreak havoc on their operations and cost them millions of dollars in lost data, downtime, and lost revenue.
The results of a cyber attack can be financially taxing and overall disastrous. It only takes a small error, unsafe online behavior, or outdated software to fall victim to a data breach. This is why companies must make proactive efforts to protect themselves.
Cyber Security Hub: Access Exclusive Cyber Security Content
For more tips on building a cyber aware culture in your organization, visit our CyberHub.