The rise in cybercrime puts companies under constant threat of hacking, data leakage, and other unpleasant incidents. In the worst case, a security breach can take an organization out of business; better when only losses are possible. If a company seeks to mitigate this risk, then how does it determine the actual cost of a security failure?
Strategic security decisions should balance the cost, protection, and usability. However, estimating the cost of IT security risks is especially tricky as any digital business has many unknown variables and different accounts.
In June 2018, a study of the cost of data loss from the Ponemon Institute showed that, on average, losses from major violations amount to $3.9 million. This is about $148 for one breach.
Compare these results with the 2015 US Federal Trade Commission (FTC) report, which lists various costs of cyber attacks on information, security incidents, breaches of confidentiality, and certain financial crimes such as phishing and skimming. Although the commission estimated total losses from cybercrime at $10 billion annually, it also found that the typical cost of breaching data confidentiality is less than $200,000. The difference is significant, but who is right?
The last company that lost its business due to data breaches was Cardsystems, a high-risk payment processor. It happened almost 15 years ago. However, many companies suffered serious financial losses without losing business. For example, Home Depot still faces the consequences of data hacking in 2014. Two years ago the company agreed to pay banks an extra $27.25 million, in addition to the 179 million already spent, to deal with the effects of a hack. And when the Saudi Aramco brand was infected with Shamoon malware, it had to replace 30,000 systems.
Usually, ROKKEX catches the eye of individual users talking about private cybersecurity. This time we’re striving to shed light on the losses the company incurs when experiencing a data breach.
Why Companies Need Data?
Let’s understand why companies need tons of information.
Before the introduction of digital transformation, the physical currency in the bank’s vault was the most valuable asset, and today the data is just as valuable as the assets in the banks (because data is money).
Data serve as behavioral and predictive models, allowing companies to anticipate the actions of customers and, as a result, improve communication and prevent customer outflow. Collected data is the solution which helps to improve the effectiveness of advertising, for instance, in social networks.
Data Is Priceless
Today, the data is called the main asset, the digital business fuel. In the private and public sectors of the developed countries of the world, they are aware of this and are ready to invest in tools that will allow them to benefit and monetize the data collected. The Global Data Protection Index (GDPI) study found that 92% of respondents are aware of the potential value of information. Without exaggeration, personalization and data collection form the basis of internet technologies.
But the value of the data raises the question of their security. To ensure it at the proper level is becoming more difficult. First, because the volume of information itself is proliferating: from 2016 to 2018, the growth was almost sevenfold — from 1.45 to 9.7 PB.
Secondly, the cost of storing backup copies increases, and the management of infrastructure for protection becomes more complicated. As a result, there is a sharp lack of solutions that would correspond not only to current needs but also to future ones, for example, ones that would allow for a broader introduction of artificial intelligence, machine learning, and the IoT.
Thirdly, control overuse is being tightened. One of the most striking examples, which last year cheered up the IT industry, was the introduction of a GDPR. The study of GDPI claims that two of the three companies are not sure that their infrastructure and data protection processes comply with all regional regulations. At the same time, 12% of respondents who had failures and/or downtime, have already faced penalties for failing to ensure information security.
Cyber Losses VS Other Company Losses
The FTC claims that cyber-incidents cost companies only 0.4% of annual revenue, as well as part of losses from reduced retail sales (1.3%), online fraud (0.9%), general corruption rates, financial distortions and fraud with billing (5%).
Quantifying the cost of hacking data is not an exact science. Start with direct post-impairment costs, such as consumer credit monitoring, fines, litigation costs, and prosecution costs. The cost of improving cybersecurity processes is an investment of first and foremost necessity.
In addition, there are indirect costs, such as the cost of reputational damage, its impact on business growth, both in sales and in the ability to attract new talents and partners.
Secondly, when investigating spending on hacking, it is essential to separate security incidents from data theft. The later is more devastating than hacks, as they often lead to direct malfunctions. Cybersecurity companies estimate the costs of data breaches by forming policies for different industry verticals.
Technologies And Processes
Elaboration of investment priorities is a strategic decision. It’s not about how much a company should invest in security; the goal is to introduce technologies and processes that can reduce business risks. This is a never-ending job that should be conducted regularly around each line of the business and its changing needs.
When developing a security strategy, financial indicators should be designed in terms of reducing operating expenses, performance evaluations, and current hazards.
You should evaluate the security level of your company by your weakest link, which is mostly human factor (and that should be your priority investment).
To mitigate costs, a significant portion of the security budget must go to employee training, covering topics such as defining phishing attempts, processing company data and defining social engineering attempts. This is the vision of ROKKEX CISO gained on the vast experience of working in cybersecurity companies.
Businesses should always identify critical assets before developing security policies. The policy should include authorization based on strong authentication. Accounting technologies that indicate hazards during or after data hacking are vital. Measurements and monitoring are needed for security management; only they work with accurate event reports.
A cybersecurity strategy must protect critical business assets, such as intellectual property, financial, and customer information. This will help the business ensure continuity after a failure. Encryption technologies are critical for transit, data storage, backup and recovery, and incident response.
Multi-level protection combined with authorization, accounting, and authentication policies is designed to increase the cost of attack for cybercriminals.
You May Also Like
At ROKKEX, we take security extremely seriously and our crypto exchange is built on ‘Security First’ principle. We want to share our expertise with the broader public for the world to become happy, safe, and wise.
If you have any ideas and suggestions, contact us at