What drives data breach costs?

The worldwide cost of a data breach in 2024 averages around $4.88 million, which is a 10% increase over 2023.  If you are unlucky enough to be a victim of ransomware, the cost is 10% higher, at$ 5.37 million. And if you’re in the United States, the average cost almost doubles to $9.36 million.  What exactly are you spending all this money on?  Let’s dive deeper into the costs of a data breach.

Where does it all go?

According to IBM, there are four key categories to spend money in post-breach:  

Detection and Escalation

Detection is about finding the breach (and determining the extent of it) as fast and ideally as early as possible.  When a data breach is detected, the first priority is to figure out what has been compromised, how far the hackers got in, and how to plug the hole.  Costs associated with this might include a new messaging system – communicating via your existing e-mail or instant messenger might tip the hackers off as to your plans, which will prevent you from being able to contain the damage.  You might need more robust network monitoring, firewalls, SIEM (security information and event management) systems, and more. 

Time is of the essence during the detection phase – the longer it takes, the more expensive it will be to unwind.  It takes around 194 days to find a data breach, with an additional 64 days to contain it – that’s a lot of time for a bad actor to have access to your systems.  The longer detection takes, the more expensive the breach is.  

Escalation begins the process of notifying internal stakeholders.  IT and any Security personnel are often the first to know.  It’s crucial to loop in customer-facing organizations like support and sales early in the process, as they are the first points of contact your customers will often make when reaching out to you.  You will want to have a statement crafted that can be sent out, which will likely involve marketing. 

Notification

Moving on from internally, next will be letting the world know – this will include regulators, customers, and the general public. Hiring a  PR firm to help craft a statement is a smart move, and you’ll surely want to retain legal counsel to make sure you don’t make your situation any worse.  Doing this in a timely manner is crucial so that you don’t run afoul of any regulations.  There are several laws in different countries that have time-bound requirements; for instance, GDPR requires notification within 72 hours of discovering a data breach.  In this stage your customers will have questions – probably a lot of questions – and it will be all hands on deck, not just for sales and support, but product and marketing as well.  Maintaining accurate, clear, and consistent communication with customers, the press, and regulators is of paramount importance.

Post-Breach Response

This is a crucial, make-it-or-break-it time for companies; after the initial announcement, there is likely a great deal of attention laser-focused on you, your business, your customers, and any other person or organization in your orbit. A good post-breach response will help restore lost confidence, and hopefully minimize the impact of lost business.  

An excellent example of a post-breach response comes from Okta.  When they were breached in 2023, although only less than 150 customers were impacted, their communication was transparent, forthright, and thoroughly detailed what they found and their next steps.  

Lost Business Cost

Inevitably, when you suffer a breach, you will lose some business.  Some customers will leave, some prospects will go dark, and some current customers will reduce the amount they spend.  While that’s inevitable, you will also suffer the loss of future plans – your roadmap, feature development, and all other work will grind to a halt as the data breach becomes a black hole that sucks all activity in, and everyone focuses on the other three areas we’ve covered.  Your UX team will become QA testers; your marketers will become support reps; and your customers will be clamoring for answers you may not have yet.  It will take a long time, with a lot of intense effort, to return to some semblance of normal.

Each of these efforts alone can run up costs in the millions of dollars; combined altogether it’s easy to see why breaches like Target run into the hundreds of millions of dollars.  Given that these costs are projected to continue to skyrocket, and you probably have many other things to spend $10 million dollars on, it’s worth it to invest in training and security tools to keep your organization safe.