How Much Does a Data Breach Cost?

According to IBM’s Annual Cost of a Data Breach Report 2021, the average cost of a data breach is around $4.24 million. In the United States and Canada, it’s even higher. So what makes data breaches so costly, are business leaders aware of the risks, and what can be done to prevent breaches? 

What makes a breach so costly?

A number of factors contribute to the cost of a breach including lost business due to reputational damage and system downtime, legal action and regulatory sanctions, detection and forensics, containment and recovery, and notifying authorities and affected parties.   

For the average $4.24 million data security incident, here’s the overall cost breakdown (and percentage of total costs) for 2021 according to IBM:

Sponsorships Available

Sponsorships Available

Sponsorships Available

• $1.59m (38%) — Lost business costs, which include customer churn, downtime and new business acquisition 
• $1.24m (29%) — Detection and escalation costs, including hunting down and identifying the breach. Also includes getting key team members involved and/or any external services (forensic, legal, etc.).
• $1.14m (27%) — Post-breach response cost to cover containment, eradication and recovery processes
• $0.27m (6%) — Notification costs to inform regulatory agencies, partners, customers and the general public.

The United States was the top country for average total cost of a data breach for the eleventh year in a row. At $9.05M, their average is more than twice as high as the global average. Canada’s average of $5.05M also puts them above the global average cost.

As data privacy laws like GDPR become more commonplace around the globe, the cost of regulatory sanctions are becoming a bigger factor in the cost of a data breach. Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $22 million USD), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher. In countries like South Africa, Singapore or Thailand, consequences can also include criminal charges that may even result in imprisonment. 

Are business leaders aware of the risk of a data breach?

It seems as if these risks are well understood by now. According to a recent global survey, the Allianz Risk Barometer 2022, decision makers and risk management experts from around the world, have ranked cyber incidents as the most important global business risk for 2022. They see this topic more critical than many others like the pandemic, or business interruption due to supply chain issues.

What is also interesting to observe is the landscape of job titles at organizations worldwide. The role of the CISO is not new, but it has certainly gotten a lot more visibility in the last few years. There has been a visible increase of roles such as Chief Data Officer, which is proof that executives certainly understand the importance of data. Discussions about data assets vs data liability have become top level topics, because the importance of data and the corresponding risks and potentials are so huge.

What can be done to prevent data breaches?

The reality is that data breaches are becoming more and more frequent and they are often detected long after the fact. You have to operate from the standpoint that you may have already been breached and simply aren’t aware of it yet. The key principles to follow here are data minimization, data-centric security, and zero trust:  know what sensitive data you have and where it’s stored, only collect sensitive data you need to operate, delete sensitive data after you no longer need it, and protect any sensitive data you store or process whenever possible with an appropriate form of cryptography throughout it’s lifecycle.

While traditional perimeter-based defenses have their place and purpose, modern IT environments rarely have a clear perimeter given that there are so many touchpoints and interconnected systems. In the likely event that perimeter defenses are breached, you should have sensitive data protected whenever possible. Not only is this the most sound strategy from a cybersecurity perspective, it is also required by various data protection laws and standards around the globe, such as GDPR and PCI DSS.