Researchers Struggle to Determine True Cost of Data Breaches
The scenario—a hypothetical breach of 3.8 million patient records and the use of those records to access healthcare claims—could cost nearly $60 million in direct damages, Deloitte estimated. But the softer losses—especially lost contract revenue, lost customers and brand damage—could total more than $1.6 billion. "While some of this increase is due to our growing awareness of the actual impact of breaches, in some ways, that impact—the damage—has always been there," Mossburg said. While the massive costs seem hyperbolic, they are in line with another study produced by Juniper Research that claims cyber-crime costs will surpass a massive $2 trillion in annual damages by 2019. The analyst firm claims that the average cost of a data breach will be more than $150 million by 2020. A more modest estimate, from the Ponemon Institute's “2016 Cost of Cybercrime” report, found that the average company could expect a $4 million loss per breach incident today. U.S. companies have consistently higher losses, including an average breach cost of $7 million and an average per-capita breach cost of $221. U.S. companies and organizations also encountered higher costs from the loss of customers, the report stated."It is kind of interesting that, as more and more companies are getting better at detecting attacks and preventing attacks, they are getting better are recognizing the costs of not doing it right," he said. Having a well-trained incident response team and extensively using encryption were the two strategies that most decreased the cost of data breaches, while the involvement of a third party in the data breach and a company’s use of an extensive cloud infrastructure were the two factors that most increased costs, according to the “2016 Cost of Cybercrime” report. The disagreement between approaches is par for the course in data-breach calculations. In a paper comparing six data-breach cost calculators, two Colorado State University researchers found that each approach made different assumptions and arrived at different per-record costs for data breaches. (Three of the calculators were created in conjunction with the Ponemon Institute and three different sponsors.) "There is a good amount of expertise behind them, but anyone who wants to use them should go ahead and plug in some numbers for well-known breaches and see what numbers they get," Yashwant K. Malaiya, a professor of computer science at Colorado State and co-author of the paper on the research, told eWEEK. Yet, researchers and analysts are getting closer to giving companies a good forecast of what a data breach might cost. Malaiya, for example, plans to consolidate the various methods of calculation and come up with a more accurate method to determine breach costs.
Larry Ponemon, chairman of the Ponemon Institute, argued that companies often have focused on the costs that are put onto the balance sheet, but increasingly they are realizing that a large number of soft costs should be included in the damages from a breach.