Data protection is at the forefront of most CEOs minds this year as the inevitability of a data breach has become very much a reality for most organisations. While many public data breaches appear to be predominately in the US, we can’t afford to be complacent here in the UK.
The infamous data breach at TalkTalk in 2015 (actually the second that year, if not the third) certainly caused many people to wake up to this reality, not least after TalkTalk revealed that the cost of the October data breach amounts to £60 million. For a company with projected earnings before interest, tax and other items for the year ending in March of £255-£265m, and a dividend increase of 15%, this is not an insignificant amount.
Consider what it would mean to your business to have approximately a quarter of your income wiped out by a data breach. While we don’t know the breakdown of where the £60 million has been spent, we have a good idea of the costs a data breach incurs.
Calculating the cost of a data breach
The following factors can all contribute to the overall cost of a data breach. Although the average total cost of a data breach has risen year on year, £2.37 million based on the Ponemon Institute’s most recent benchmarking report, 2015 Cost of Data Breach Study: United Kingdom, where this money is spent as a percentage of the overall total has remained fairly stable.
- Lost Customer Business: 43%* TalkTalk estimated they lost 101,000 customers following the October hack, but other estimates put this figure closer to 250,000.
- Investigation and forensics: 16%*
- Customer acquisition cost: 9%*
- Inbound contact costs: 8%*
- Outbound contact costs: 7%*
- Audit and consulting services: 5%*
- Public relations and communications costs: 3%*
- Legal services – defence: 3%*
- Legal services – compliance: 3%*
- Free or discounted services: 2%*
- Credit monitoring services: 1%*
Actual figures will naturally vary depending on the sector an organisation operates in, and the nature of the data breach. For example, ‘lost customer business’ will not be such a significant cost if the data breach only impacts on employee records. However, when looking at these figures CEOs should be aware that they may have higher risks and costs because of the sector they operate in. The table below shows the per capita cost by industry of those benchmarked organisations:
How to reduce the cost of data breaches
It’s not all doom and gloom. While another study by PwC – 2015 Information Security Breaches Survey – commissioned by HM Government, found that 9 out of 10 businesses in their survey had suffered some form of data breach; there are ways to reduce the cost to businesses. The Ponemon Institute study identified the following as factors that can reduce cost of a data breach:
- Extensive use of encryption: up-to-date data protection methods protect both from malicious attacks and human error,
- Incident response team: clear systems, procedures and key staff to deal with any data breach ensures that no time is lost addressing the breach and militating against it,
- BCM involvement: awareness, training and planning for getting business critical systems back up and running in the event of an incident can reduce the costs associated with loss of business significantly,
- Board-level involvement: sponsorship from the Board will ensure that cyber security and data protection procedures are embedded in the organisation,
- Employee training: clear guidance and training on how to deal with a data breach, and how to recognise one (as well as prevention training), will result in a swifter and smoother response,
- CISO appointed: fortunately for any Chief Information Security Officer reading this, your role is an important factor in preventing and reducing the risk and cost of data breaches,
- Insurance protection: Data breach insurance naturally reduces the overall costs for the organisation, but may also be instrumental in putting better data breach planning in place so that incidents are managed effectively.
So although in all probability most businesses will experience a data security breach at some point, the risk can be managed and therefore the impact on your organisation reduced.
* Percentage of total cost for 2015, 2015 Cost of Data Breach Study: United Kingdom
