How to calculate the cost of a data breach

Direct costs: Immediate and measurable expenses

Direct costs are the easiest to account for as they are on the balance sheet already. Some of the major direct costs include the following:

• Incident response and digital forensics. Engaging cybersecurity firms, forensic analysts and legal experts to investigate the breach and determine its cause.
• Notification costs. Alerting affected customers, partners, regulators and employees. This includes call centers, mail notifications and credit monitoring services.
• Legal and compliance penalties. Not complying with regulatory requirements, such as GDPR, CCPA or HIPAA, can result in hefty fines. If lawsuits ensue due to the breach, this increases direct costs paid.
• Ransom payments. If ransomware is involved in the attack, some organizations opt to pay the ransom in an attempt to recover data quickly, though this is highly discouraged by law enforcement agencies.
• System recovery and restoration. Bringing systems back online and restoring services can prove costly, especially in complex, involved attacks.
• Security improvements. Investing in system upgrades, new security tools and enhanced monitoring capabilities after a breach occurs.

Indirect costs: Hidden financial burdens

Not only do organizations have to worry about the direct cost of a data breach, but they must also consider indirect costs. Some of these indirect costs apply to all organizations, some do not.

Consider the following indirect costs:

• Lost business and customer attrition. Studies have shown that customers lose trust in companies that suffer data breaches, leading to reputational damage and revenue loss.
• Loss of intellectual property. If intellectual property is stolen during a breach, companies could lose their competitive advantage, hurt future business opportunities or even have to shut their doors.
• Increased cybersecurity insurance premiums. After a breach, insurers often raise premiums or reduce coverage for cyber insurance policies.
• Employee downtime and productivity losses. During and after a breach, employees often spend time responding to incidents rather than focusing on their primary responsibilities. Some organizations might also experience staff turnover following a breach.
• Regulatory audits and scrutiny. Organizations could be subject to ongoing audits and compliance reviews that require significant internal resources.

How to calculate the cost of a data breach

Several websites offer data breach calculators, including the following:

• Artic Wolf offers ransomware, data breach and business email compromise cost calculators.
• NetDiligence estimates costs based on what types of records were exposed -- PCI, PHI or PII.
• At Bay has ransomware and data breach cost calculators.

Note, these calculators offer an approximate look at what a breach might cost based on an organization's size, industry, types and number of records stolen, how the breach occurred, potential media coverage of the breach and more. These calculators are purely educational.

How to manage the risk of a data breach

We all know it is impossible to be 100% secure. We also know that doing nothing increases the likelihood of being breached. So, where's the sweet spot? It is critical to start from the top down and create an enterprise risk management strategy. While this might sound like a heavy lift, teams can streamline it to keep costs down and still affect security in a mission-driven manner.

The following are some key tips.

Create strategic goals and objectives

Many IT security frameworks support the creation of strategic goals and objectives: Security teams should pick their favorite. The best strategic objectives are paired with operational, compliance and reporting objectives. Create clear and concise objectives. This lets the enterprise prioritize those most important.

Conduct a business impact adjustment

After establishing objectives, catalog assets and analyze them relative to the objectives. This could be a simple spreadsheet with computer systems, third-party systems and services, and internal services. As an organization grows, however, more automated tooling is needed to manage this data.

The key is to make sure the organization's assets are tied to its objectives. From there, analyze risks to those assets that are caused by cybersecurity threats. For example, what would happen if the payment system was targeted by ransomware? How would the organization respond if its external services went offline due to a DDoS attack? What would the impact of these scenarios be? Being able to accurately qualify and quantify risks to critical assets enables teams to prioritize which risks to address first.

Set risk strategy

With clarity on which assets are important and what risks are critical to mitigate, create clear guidance on what needs to be done. This can come in the form of risk appetite and risk tolerance statements. These statements tell management teams what the organization is willing to accept in terms of enterprise impacts related to the cost of a data breach. If the organization is concerned with the availability of critical services, risk statements might look like the following:

• Risk appetite. Our customers associate reliability with our company's performance. Service disruptions must be minimized for any customer-facing websites.
• Risk tolerance. Regional managers can permit website outages lasting up to two hours for no more than 5% of customers.

These types of statements clearly tie objectives to measurable outcomes that translate to buying down risk through action plans. NIST's "Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight" has excellent resources on how to communicate risk strategy up and down the corporate stack.

Create and monitor action plans

Managers can take the risk strategy set by leadership and implement controls or actions that achieve the risk outcomes. Report out these action plans at regular intervals. Controls can come from a variety of places, among them ISO 27001, NIST Special Publication 800-53 or the Center for Internet Security Controls. Manage the organization's controls from a risk perspective. Gain efficiency across the enterprise by implementing a control, measuring its effectiveness against the risk strategy and reporting that to leadership in a language they can understand.

Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI.