The Cost of a Breach

Last week I posted on the accelerating frequency and size of breaches and their effect, or lack thereof, on CyberSecurity employment and pay. The other question that is begged is what is the cost of a breach to a company?

This is where we actually have enough data to get an answer. If you look in Doug Hubbard’s “How to Measure Anything in CyberSecurity” (2016), appendix B, you find this very interesting chart.

These are SEC filings of breaches, particularly 10-k reports, which have to include extensive info on short and long term costs of breaches, and which are required of financial and larger institutions where the bigger breaches tend to happen. Even if the cost is understated, taken at face value, you see as a first order fit to this data a very simple linear relationship (y=Ax+b).

The first thing to notice is that there is an economy of scale in breaching a large amount of records. This probably isn’t surprising and isn’t lost on the players responsible for the large breaches.

All in all this is a fertile field of study for risk and actuarial science. It’s been taken up lately by the IBM Security Intelligence team. This is an extract from their “Cost of Data Breach 2020” report (https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/). Besides reporting these overall averages:

• Global average cost of a data breach: $3.86M

• Highest average cost per record: $150 (customer PII)

• Highest average cost per record: $8.64 (USA)

We also can calculate from their database the total average cost per breached record for several industries:

The cost for exfiltrating a record from the financial industry had stayed at almost $6. I don’t know if that means we are doing a consistent job, or if the exfiltration processes just haven’t gotten any better.

So there you have it. The cost of a CyberSecurity breach in real numbers. My suspicion and experience tells me it’s larger. But, science goes on data. If you apply the average number to the Solar Winds breach (50,000,000 records, not even one of the larger breaches), I get a loss of $434M. As said above, this is a first order calculation, and the Solar Winds breach will have many other effects and costs. All the same, a sobering number for everyone.