Estimating the cost of data breaches.
The full financial costs of a data breach are not easy to work out. Consider the simple example of a ransomware attack. If the ransom is promptly paid the affected network should be swiftly back in action with negligible loss of working time. Even here the cost is not simply the ransom paid. The system is known to be vulnerable and could suffer a subsequent similar attack if funds are not allocated to discover the source of the original breach and methods put in place to reduce the chance of it happening again.
Having some means of quantifying data breaches allows the relative severity of attacks to be considered and anaysis made on the scale of the problem.
The UK Department for Digital, Cultural, Media and Sport undertook a survey into the cost of cyber security breaches in August 2020. The costing tool used to evaluate these financial costs prompts for costs within business areas that might be affected. Costs were divided into 3 areas (note that there will be some overlap between the categories).
- Assets stolen, ransoms paid and staff costs for those who were unable to continue with their usual work roles.
- Costs from loss or reduction in services such as business websites being unavailable.
- The value of data permanently lost or the cost of its recovery.
- Lost income from a drop in competitive advantage through stolen intellectual property or other sensitive information.
- Loss or damage to equipment.
- Any insurance excess paid.
Legal or regulatory costs:
- Fines for breaking data protection regulations.
- Additional legal advice following legal action as a result of the breach.
- Staff time costs in dealing with police and regulators.
- Staff time costs in dealing with customers and suppliers affected by the breach.
- The costs involved in shutting down and repairing services.
- Additional staff or consultant costs to repair the breach.
- Putting new cyber security measures in place.
- Increased cyber security staff and staff training costs.
A summary of 15 respondents to the survey indicates that the question format had evolved during the survey but that it was generally useful. The smallest loss calculated was £20 for a response to a single phishing email demanding a payment which was actioned but not eventually paid. The highest £300,000 concerned a ransomware attack that took a network off-line for four days. In this case the ransom was not paid. The costs being made up of staff unable to work, damaged data and equipment together with changes being put in place to reduce the chance of a subsequent similar attack.
More recently a 2022 UK government investigation of cyber breaches indicates that a version of the cost tool is still being used. The information was based on a telephone survey of 1,243 UK businesses, 424 UK charities and 420 education institutions. The results have been ‘weighted’ to ‘improve’ the statistical results. Calculated costs are in section 5.5. For those who reported a breach or attack within the previous 12 months the mean costs of a breach were £1,200 (550 cases). Some breaches had no financial impact. The mean cost for those breaches with a financial outlay was £4,200 (129 cases).
Except in the case of an operation forced out of business due to a data breach there will be a degree of estimation involved in predicting the cost of a data breach. This in turn needs to be weighed against the likelihood of any attack scenario coming to fruition. As an experienced data security consultancy Kindus can offer help and advice with predicting the cost of data loss.