The News: IBM’s Cost of a Data Breach Report, done in partnership with Ponemon Institute is out and the average global data breach cost has now hit almost $4.5 million — the highest it has ever been. Its effect could partly explain the rising consumer costs for products and services. Access the full report here.
IBM’s Cost of a Data Breach Report Reveals Data Breach Cost Is an All-Time High, Raising Consumer Prices
Analyst Take: Instances of data breaches, across businesses of all sizes and across all industries, are speeding up, and according to the 17th annual IBM Cost of a Data Breach Report, the cost of a data breach is at an all -time high, which is not at all surprising.
Legal expenses, settlement costs, the cost of notifying customers, PR and crisis comms, lost business costs — all these factors play a part in rising costs as a whole. For instance, in 2019, the Federal Trade Commission (FTC) ordered Equifax to pay $575 million as part of the settlement for the 2017 attack. Following its 2019 breach, Capital One agreed to pay $190 million to settle a class action suit, a little over a year after the U.S. Office of the Comptroller of the Currency also fined the company $80 million. Uber, Marriott, British Airways, Target, Tesco Bank, Anthem — all victims of data breaches and all fined millions and/or ponying up class action settlements — to the tune of about $1 billion in costs so far.
The cost of a data breach, of course, goes far beyond the bottom line, settlements, fines, and the like. The IBM report shared that lost business makes up the largest of the data breach costs, on averaging costing organizations $1.59 million. There’s a reputational hit that could result in customer churn and impact new customer acquisition, along with costs for threat detection, external forensics, containment, eradication, and recovery processes, along with notification costs in informing regulatory agencies. In short, it’s a lot.
How the Lack of Cyber Experts Also Lead to Higher Breach Cost
While the IBM report highlights the factors that lead to the high cost of data breaches, it also cites a surprising reason for the high price of these attacks: skills shortage.
The demand for cybersecurity experts has been outpacing supply for years now. Late 2021 research from Cybersecurity Ventures reports the number of unfilled positions grew by 350 percent over an eight-year period and were expected to reach around 3.5 million by 2025. And this lack is contributing to about 80% of data breaches, according to Fortinet.
- It takes much longer for companies to detect the breach, more so to fix it. A 2020 IBM study revealed that it is not unusual for it to take enterprises almost a year before they knew they had been attacked and eventually learned to contain it.
- Our research shows that organizations who understand the importance of Security Operations use dashboards that provide the IT team complete visibility across the board and continuous monitoring. That same research showed that organizations who have a less sophisticated approach to cybersecurity don’t believe their organizations have been breached. Organizations who do understand the risks and who rely on more sophisticated technology know that their organizations detect threats and attempted intrusions on a daily basis. An IT team that lacks either cybersecurity expertise and/or technology that affords visibility into IT operations, puts the entire organization at risk.
- Cybersecurity experts play a huge role in designing, simulating, and protecting businesses from various forms of cybercrimes. But with the lack of trained personnel, many organizations are left vulnerable. They cannot immediately pinpoint their weaknesses, which attackers can later exploit.
- The high level of vulnerability to attacks, especially in high-data, highly regulated organizations such as healthcare and banking institutions, could result in higher insurance costs.
- The lack of cyber experts also affects the productivity of a company. Downtime caused by data breaches can lead to lost sales and opportunities, as well as customers taking their business elsewhere.
- The skills shortage could also mean higher labor costs. Organizations are willing to pay top dollar for in-demand cybersecurity talents.
Data Breach Cost Means Higher Consumer Prices
Data breaches will always produce a ripple effect that can be good or bad. One of the biggest potential issues with them is they could drive consumer prices up.
This spells bad news for customers already feeling the pinch of various economic hardships. For example, the inflation rate in June rose by 9.1%, one of the highest over the last forty years. Buyers are also dealing with severe supply-chain issues brought about by the pandemic.
Enterprises prone to attacks could also add to the problems by adding the data breach cost in their products and services. The IBM report showed that at least 60% of organizations hit by the attacks eventually increase prices.
While the report didn’t elaborate why, the following could possibly explain it:
- Recoup possible losses from downtime or business interruption. Organizations usually incur high costs when they need to stop operations to fix a problem. They could charge higher prices to quickly make up for the money lost during this time.
- Pass on the expenses associated with notifying customers, which is often required by laws. In the United States, for instance, companies must inform state attorney generals about data breaches that affect 500 or more people in the state.
- Make up for other indirect expenses. Even a single data breach can lead to various consequences that affect the productivity and reputation of a company. They could put additional pressure on the organization’s budget, which they may need to cover by increasing prices.
- Get money for hiring more cybersecurity experts or boosting their cybersecurity budget. The IBM data pointed out that at least 60% of organizations with no sufficient cybersecurity staff usually average $550,000 in data breach cost than those with enough staff. In turn, they may need to raise their prices in order to attract and retain skilled talent.
- Invest in infrastructure and processes. A data breach could also prompt a company to spend more on its cybersecurity infrastructure. It needs to buy and implement new tools, as well as train its employees on how to use them. The organization may need to add new processes too, which can be costly.
In hindsight, it seems that raising consumer prices can be an inevitable consequence of data breaches. It’s one way for enterprises to recover from the significant cost associated with these attacks.
However, it would be best if businesses try to find other ways to make up for the expenses. After all, they need to maintain their competitiveness and keep their prices reasonable, especially in these trying times. Some steps they can explore include:
- Improving their cybersecurity posture to prevent or mitigate attacks.
- Working with their insurance provider to get better coverage (although this is becoming more difficult as breach instances rise).
- Making their customers aware of the steps they’re taking to protect their data.
- Maximizing the zero-trust approach, which is a security strategy that doesn’t rely on predefined trust levels. It focuses on verifying every user, device, and application before granting them access to sensitive data.
- Understanding that both hardware and software play a role in cybersecurity vulnerabilities, and having systems in place to monitor, detect, mitigate, etc., at both the hardware and software levels is key.
- Embracing edge computing, which is a type of distributed computing that brings data storage and computation closer to the edge or devices. Using edge, businesses can reduce the amount of data that needs to be sent to the centralized datacenter.
- Using artificial intelligence (AI) for security. AI can help organizations automate many tasks, including detecting and responding to threats.
In sum, the price of a data breach cost goes far beyond the direct financial losses suffered by the organization. It could also lead to long-term consequences that could be difficult and costly to fix, including consumers bearing the brunt of a breach by way of increased prices. Businesses need to do everything they can to avoid these attacks — including ramping up their investments in tech talent, exploring technology solutions that can help quickly detect, manage, and mitigate risk, and minimize the impact if breach does happen.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.
Other insights from Futurum Research:
Image Credit: VentureBeat
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”