The true cost of a data breach for SMEs

7 costs of a data breach and how to minimize them

It’s no secret that data breaches are occurring more frequently and they’re expensive. Just turn on the news and you’re sure to hear a story about the millions a major company lost thanks to a leak. Unfortunately, in too many cases, businesses experience a costly breach that could have been prevented. Something as simple as a misconfigured or insecure firewall or lack of two-factor authentication can cost a company tens or even hundreds of millions of dollars. 

The Ponemon Institute and IBM recently released the 2021 Cost of Data Breach report, which stated that data breaches in 2021 cost companies an average of $4.24 million. Meanwhile, a 2019 report found that 63% of small and mid-sized enterprises (SMEs) reported experiencing a data breach in 2019.

But what do these numbers mean and how do they translate to your business? You might think that as an SME, you’re immune to the multi-million-dollar attacks you’re hearing about in the news, but adversaries don’t discriminate and many of the costs of a data breach aren’t related to a ransom paid or data leaked. The final costs of a data breach include the investigation, remediation, legal fees and settlements, fines, lost business, and even reputational damage. 

Here, we’ll dig into the 2021 Cost of a Data Breach report, looking at how these costs break down and why SMEs should think twice about holding off on security measures. 

Cost #1: Data loss

This is likely one of the first things that comes to mind when you think of data breach costs because it’s where the hacker makes their money. Data leaks are expensive regardless of the type of data stolen, whether its intellectual property (IP), employee information, a company’s financial information or customer data. Generally speaking, the loss of personal identifiable information (PII) tends to be the most expensive type of data loss ($180 per lost or stolen record versus $161 per record for data breaches overall). But depending on your company, the loss of IP can also be devastating, especially if you were the first to market with a unique product or lost valuable trade secrets your competitors can exploit once made public. 

Cost #2: Ransomware payout

Although ransomware attacks were once reserved for major corporations housing significant amounts of sensitive data, the way bad actors are using ransomware has changed drastically, and SMEs are increasingly being targeted. 

Most security professionals and government agencies advise against paying a ransom, yet many businesses (roughly 83 percent) decided to pay a ransom in 2021. This could be because they think it’s cheaper or faster than investigating the breach or that paying the ransom will keep the incident out of the public eye. But paying the ransom doesn’t guarantee you’ll get your data back. 

A Unit 42 study found that the average ransomware payment in 2021 was $570,000. This is on top of all the other costs which includes escalation, notification, lost business, and response costs. The average total cost of a ransomware breach was $4.62M in 2021.

Cost #3: Investigative costs

When a breach occurs, your organization is responsible for removing the hacker from your environment if the compromise is still active, then conducting an investigation to determine how you became compromised. You then need to determine how to fix the vulnerability to prevent a similar attack from occurring again in the future. 

This investigation could take weeks or even months. IBM’s report showed that companies without an incident response team experienced an average cost of $5.71 million. Those who also tested their incident response plan had an average breach cost of $3.25 million, — a 54.9% difference. And while those savings are significant, the investigative efforts will still cost your company money in the form of employee time and salaries.

Most SMEs, however, don’t have these in-house teams and should instead consider outsourcing the work to a third-party incident response team who will conduct the forensic analysis. Make sure they include an annual test exercise to further reduce your risks.

Cost #4: Remediation costs

The total remediation costs can vary based on the nature of the breach, but investigation costs tend to make up a significant portion of the overall expenditures. That’s because businesses can choose not to pay a ransom — so they’ll need to find an alternative route to retrieving their data and getting systems up and running again. 

With a ransomware attack, this process can be extremely complicated and often requires the assistance of a specialty third-party partner to decrypt the ransomware and recover the files. Even for non-ransomware attacks, you’ll need to hire someone to recover and secure lost files and re-secure any system vulnerabilities exploited by the attacker. 

Much like the forensic investigator, you’re paying a highly specialized expert — or team of experts — for a months-long effort, and those costs add up. Even if you have a team in house who can lead or assist with these efforts, you’re paying in the form of employee time. You can save on costs by getting those offsite backups done and secured so you can recover quickly and cheaply.

Cost #5: Legal and compliance costs

Depending on the nature and severity of the breach as well as your industry, legal fees and settlements can be another significant portion of your overall breach-related costs. Legal costs can take the form of legal fees if outside counsel is needed — which for SMEs, it often is — as well as settlements and fines.

Your business may also need to pay fines if it’s discovered that you didn’t meet regulations set by various government agencies such as GDPR, HIPAA or CCPA. The average cost of a data breach for organizations with a high level of compliance failures in 2021 was $5.65 million, compared to $3.35 million at organizations with low levels of compliance failures. That’s a difference of $2.3 million or 51.1%. Ensuring your business is compliant upfront with all global, national, state and regional regulations early on can drastically reduce the financial impact to a company should a breach occur. 

Depending on the type of attack, companies may also incur post-event costs related to time spent notifying customers of the breach, offering them ID theft protection, or investing in new security tools and vendors as determined by the law.

Cost #6: Lack of business continuity and post-event recovery

In the time it takes to investigate, remediate, and recover lost files or regain access to systems, you’re losing out on business. Every day that goes by without being able to serve customers will lead to additional lost profits. 

If a DDoS attack crashes your website, you can’t take orders. If ransomware freezes your files or your employees’ email accounts, you can’t communicate with customers or access their information. And if your breach becomes public, third-party suppliers or partners may cancel contracts to avoid being associated with the attack or because you’re seen as too risky to continue working with.

It’s estimated that lost business represents the largest share of breach costs, averaging $1.59M or 38% of the total costs. These costs include lost customers, business lost when systems are down and the cost of acquiring new business due to reputational damage. 

Cost #7: Costs caused by reputational damage 

After a company experiences a breach, they lose the trust of current and potential customers, who may choose to conduct their business elsewhere. PCI Pal data showed that 62% of Americans claimed they would stop buying from a brand for several months following an attack. Reputational damage can also include reduced share prices. According to an Aon Global Risk Management survey, some companies see a 25% drop in market value in the year following an attack.  

Not only do businesses lose out due to lost customers and downtime, but they may need to invest in marketing and sales efforts to earn back customers’ trust or win new customers. These efforts could include hiring an outside PR or marketing team, offering deep discounts or running an expensive campaign aimed at bolstering their reputation. 

How to minimize the costs associated with a data breach

The most obvious way to cut costs of a data breach is to reduce the risk of one and the damage it can do in the first place — and that means investing in appropriate security measures early on. And for SMEs, that often means partnering with a modern MSSP and investing in foundational coverage. 

MSSPs act as an outsourced security department, providing you with the technology, strategy and 24/7 monitoring needed to protect your company against a cyber attack. Based on your industry, infrastructure and existing security systems, they will recommend the minimum effective dose of security for your business, so you’re protected from an attack without paying for tools you don’t need. A good partner will also provide the remediation and recovery services as part of their contract, should an unexpected breach occur. Best of all, MSSPs can improve your security posture fast.  

SolCyber is a modern MSSP that helps SMEs achieve cyber resiliency to minimize the likelihood of an attack. We handle everything from delivering foundational coverage to providing 24/7/365 detection and response services. 

Learn more about our Foundational Coverage or reach out to discuss how we can help you avoid the astronomical costs associated with a data breach.