7 Factors that Affect the Cost of a Data Breach

Posted by Ming Jan Sam Tue, 23 Sep 2014 15:07:00 GMT

Data breaches have become common occurrences. Business costs associated with data breaches range widely. However, the costs are not strictly direct monetary costs. Security breaches also negatively impact the reputation of businesses, generally leading to lost or reduced customer trust and confidence.   

7 Factors that Affect the Cost of a Data Breach

An independent study conducted by Ponemon Institute (sponsored by Symantec) analyzed the cost sustained by companies from a wide range of industry sectors, including financial, communications, healthcare and education, after those companies experienced the loss or theft of protected data. The research study identified seven factors that influence the cost of data breaches. The following attributes decrease the per capita cost of data breach, and are listed in order of importance:

1.    Strong Security Posture

The overall security plan is referred to as the security posture – the approach the business takes to security, from planning to implementation. Understandably, organizations which had a strong security posture experienced lower costs than those companies that had a weak security posture at the time of the incident.

This highlights the importance of enforcing a strong security posture, by implementing strong protection measures, keeping in place a comprehensive training and education program, and frequently monitoring security levels. Organizations should use tools and techniques for protecting the organization’s information assets, by integrating multiple security practices for a robust defense mechanism. This includes enforcement of password rules, restriction and control of unnecessary access to internal networks, and the vital security methods of authentication techniques and encryption.  


2.    Incident Response Plan

The study found out that organizations which did not have a security incident management plan in place during the data breach increased the cost consequences. This is not surprising, since the lack of a security procedure means that a significant delay in enabling the responsible persons to apply the correct response is to be expected.

This stresses the importance of having an all-encompassing security policy which describes in detail the security violation response. A rapid response following an information security incident re-enables network protection and the restoration of the normal network operations. Moreover, in order to be well prepared in the event a security incident takes place, the support staff should receive continuous practice.  


3.    A CISO (or Equivalent Title) has the Overall Responsibility for Enterprise Data Protection

The management of data protection should be centralized, whereby an information security professional should be responsible. Ideally, a Chief Information Security Officer should have a strong balance of technology knowledge and business acumen, and be in charge of information security, information risk management and cybersecurity.


4.    Consultants were Engaged to Facilitate Data Breach Remediation

Organizations which used consultants to help with their data breach response and remediation strategies experienced lower costs than those which did not appoint any consultants; in the US, those organizations that appointed consultants managed to decrease the cost an average of $13 per compromised or exposed record.

The following three factors increase the per capita cost of data breach, also listed in order of importance:


5.    Data Lost Due to Third Party Error

Data breaches resulting from third parties resulted in higher cost consequences; in the US, third party errors increased the cost of data breach by an average of $43 per record. The security policy should also cover third parties, including vendors, suppliers and business partners, and these should implement all the preventative measures.


6.    Lost or Stolen Devices were Involved in the Data Breaches

Data breaches resulting from lost or stolen mobile devices, such as laptops, smartphones and tablets, as well as from portable data storage options such as USB drives, containing confidential or sensitive information, lead to elevated costs.

The replacement cost of the device itself is another factor to take into account when estimating the data breach cost, and thus measures to prevent loss or theft of the mobile devices should be in order. However, it is the data which should be given first priority for protection.

Probably the best option for accessing company data in the corporate network through smartphones would be that data is not downloaded to the smartphone at any given time. This means that since no data is loaded to the smartphone, no data can be lost or stolen if the smartphone is lost, since all data is completely and securely located in the central corporate network.

Furthermore, remote access to sensitive or confidential information should only be allowed via access methods which are secure, authenticated and centrally-managed. This can be achieved via implementation of an SSL VPN, due to its ease, high security and flexibility. Modern SSL VPN solutions use strong encryption and authentication methods such as tokens, Smartcards and SSL client certificates to enable a secure connection to the enterprise network.


7.    Quick Notification to Data Breach Victims

In several countries, including the US, regulations dictate the timely notification of data breach victims. Notwithstanding, if organizations are too rapid in contacting individuals, this can actually result in higher costs. In this context, the term “quick” refers to organizations which notified data breach victims and/or regulators within 30 days after the discovery of data loss or theft. In light of the research findings, it is advisable to allow a longer time period to notify individuals, while still complying with the country’s regulations.    



Data breaches can lead to long-lasting repercussions due to the numerable costs involved. Knowledge of the factors that affect such costs facilitates the process of risk mitigation, since organizations can put in place the necessary security measures.


no comments |

You must be registered in order to write comments. To register as a new user click here.

If you're already registered, please leave a comment here

Leave a comment