July 3, 2023
Why Data Breaches Are So Costly…And So Difficult to Prevent
No one in a large organization wants to hear the news that there has been a data breach, and that the organization’s data has been compromised. But many are reluctant to spend a significant portion of their budget on appropriate preventative measures. Why?
The reason usually comes down to two misconceptions. Either the leadership of the organizations assumes that a data breach is unlikely, or that, if a breach were to happen, their risk exposure would be minimal and the problem easily fixed.
The truth is that, today, data breaches are inevitable…and much more costly. Companies are often much more exposed than they know, which means that the potential costs of data compromise are much higher than assumed—and so is ROI of preventive measures.
Data Breaches Are Inevitable
In 2022, there were over 1,800 data compromises of U.S. companies alone, impacting some 422 million individuals. This is four times the number of compromises reported just a decade ago.
Think about this risk as you would a similar risk, such as a fire at a building or a plant. As the saying goes, companies don’t carry insurance because they think something bad might happen—they get insurance because bad things do happen. On a long enough timeline, it’s a virtual guarantee that something bad will strike your business. Yes, fires are rare, but they happen, and they are devastating. The same goes for data breaches.
But here is one important way in which a fire is different from a data breach. The risk of a fire scales linearly with the number of locations you have; the risk that unsecure data poses to your business scales exponentially, even if you have a small number of total records. As a result, many companies’ data management practices may create millions or hundreds of millions of dollars of risk. Most are not even aware of it.
Systems Are Complex, and There is More Risk Than You Imagine
Gone are the days when a company has a server or two in a server closet, housing their data. Today’s companies have multiple connected systems, many of which are spinning up cloud environments and transferring data on a daily basis.
In these scenarios, data duplication creates a huge risk for companies should their systems be compromised. For example, a single company might have both client records and employee records, all of which are duplicated in a live “production” environment, a testing environment, and a data lake for analytics purposes. A single breach could potentially expose all of this data, multiplying the risk.
(For a more full accounting of the math here, see our whitepaper on the ROI of Risk Reduction, now available for download.)
What is the Actual Cost of Exposed Data?
So data compromise is inevitable, and companies have richer stores of data these days. They real question is this: Does the cost associated with a data breach exceed the budget needed to prevent one?
One of the very best resources for understanding what drives the cost behind a data breach is IBM’s annual Cost of a Data Breach report. The worldwide average cost of a breach in 2021 was $4.24 million, the highest average total cost in the history of the report. That works out to about $180 per record for customer information, and $176 per record for employee data.
Importantly, it wasn’t just direct remediation costs that contributed to this total. Thirty-eight percent of the total cost was attributable to “customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation,” which suggests that the pain caused by a breach lasts for years beyond the initial incident.
Again, having duplicate records drives up costs here. A single customer, for example, might be tied to data that “lives” in several systems, both production environments and non-production environments. Which means that a single customer is not just $180 worth of risk, but potentially 4-5 times that amount.
Prevention Needs to be Modern, Too
In short, data breaches are much larger and more complex than they were even a decade or two ago. That also makes them much more costly. It also means that the methods for preventing breaches and reducing risk need to be similarly modern and complex.
For example, data discovery needs to be a part of any security efforts. Discovering all databases and all instances of records in a working organization can be a massive challenge; AI-based tools are now necessary to both find and identify all the data in play.
Once data is discovered, there are various tools that can be used to protect that data, including encryption, masking, and access controls. Which tools are appropriate for which data sets depend on factors such as how often the data needs to be accessed, who will need to access it, and system performance requirements.
That said, there is a set procedure that should be followed to reduce the risk of exposure. Here at Mage, we’ve honed that procedure over the years; in some cases, we can reduce the dollar-amount risk by more than 90%.
To see what this procedure is, and to see the math behind this reduction of risk, download our white paper, The ROI of Risk Reduction for Data Breaches.