How to Use the Cost of a Data Breach to Justify an Incident Response Team
June 22, 2016 by Bill Rosenthal

The 2016 Cost of Data Breach Study: Global Analysis has been released, and you can download it here (registration required). Sponsored by IBM and performed by the Ponemon Institute, this year’s study is a real eye-opener. 

The report classifies data breach costs into four categories:

1. Detection and Escalation Costs

  • forensic and investigative activities
  • assessment and audit services
  • crisis team management
  • communications to executive management and board of directors

2. Notification Costs

  • creation of contact databases
  • determination of all regulatory requirements
  • engagement of outside experts
  • postal expenditures
  • email bounce-backs
  • inbound communication set-up

3. Ex-Post Response Costs

  • help desk activities
  • inbound communications
  • special investigative activities
  • remediation
  • legal expenditures
  • product discounts
  • identity protection services
  • regulatory interventions

4. Lost Business Costs

  • abnormal turnover of customers
  • increased customer acquisition activities
  • reputation losses
  • diminished goodwill 

This list could be inordinately useful in planning your response to a data breach or in persuading your management of the need for better security. 

What do these costs amount to? The average total cost of a data breach is now $4 million, which is a five percent increase over last year (but a 29% increase since 2013).  The average cost per lost or stolen record is $158, a 15% increase since 2013. The study also calculates that you have about a one in four chance of suffering a data breach of 10,000 records or more in the next 24 months. While the probability of larger breaches is less, this probability, plus the cost figures could be a basis of an excellent sales pitch if you are trying to sell management on a cybersecurity program. I’ll leave it to you to do the arithmetic.

But here is, to my mind, one of the most powerful findings in the entire report: the presence of an incident response team reduces the average per-record cost of a data breach by $16, from $158 to $142. This beats every other cost mitigator, including “extensive use of encryption,” which only reduces the cost by $13. In other words, you can reduce the cost of the data breach (which you have a one in four chance of incurring) by 10% if you field an incident response team.

Start with the $4 million average cost, run your numbers accordingly, and see if the cost of fielding an incident response team is lower than the probable cost of incurring a data breach without one. Hint: 10% of $4 million is $400,000.

If you have an incident response team, file away these numbers so you can pull them out if the anybody challenges the need for it. If you don’t have one, organize it. Consider the Logical Operations CyberSec First Responder (CFR) program. The CyberSec First Responder: Threat Detection and Response course will teach your first responder team to analyze threats, design secure computing and network environments, proactively defend networks, and respond/investigate cybersecurity incidents. Having a first response team will probably not reduce your risk of being attacked. But the 2016 Cost of Data Breach Study: Global Analysis shows it will dramatically reduce cost of the breach.