The average cost of a data breach has reached $4.88 million, up 10% from last year, according to a recent report. As businesses increasingly rely on technology, cyberattacks are becoming more sophisticated and aggressive, and risks are increasing. What can your organization do to protect its profits and assets from cyberthreats?
Recent report
In August 2024, IBM published “Cost of a Data Breach Report 2024.” The research, conducted independently by Ponemon Institute, covers 604 organizations that experienced data breaches between March 2023 and February 2024. It found that, of the 16 countries studied, the United States had the highest average data breach cost ($9.36 million).
The report breaks down the global average cost per breach ($4.88 million) into the following four components:
- $1.47 million for lost business (for example, revenue loss due to system downtime and costs related to lost customers, reputation damage and diminished goodwill),
- $1.63 million for detection and escalation (such as forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards),
- $1.35 million for post-breach response (including product discounts, regulatory fines, legal fees, and costs related to setting up call centers and credit monitoring / identity protection services for breach victims), and
- $430,000 for notifying regulators, as well as individuals and organizations affected by the breach.
A silver lining from the report is that the average time to identify and contain a breach has fallen to 258 days from 277 days in the 2023 report, reaching a seven-year low. One key reason for faster detection and recovery is that organizations are giving more attention to cybersecurity measures.
Implementing cybersecurity protocols
Cybersecurity is a process where internal controls are designed and implemented to:
- Identify potential threats,
- Protect systems and information from security events, and
- Detect and respond to potential breaches.
The increasing number of employees working from home exposes their employers to greater cybersecurity risk. Many companies now have sensitive data stored in more places than ever before — including laptops, firm networks, cloud-based storage, email, portals, mobile devices and flash drives — providing many potential areas for unauthorized access.
Targeted data
When establishing new cybersecurity protocols and reviewing existing ones, it’s important to identify potential vulnerabilities. This starts by inventorying the types of employee and customer data that hackers might want to steal. This sensitive material may include:
- Personally identifiable information, such as phone numbers, physical and email addresses and Social Security numbers,
- Protected health information, such as test results and medical histories, and
- Payment card data.
Companies need to have effective controls over this data to comply with their obligations under federal and state laws and industry standards.
Hackers may also try to access a company’s network to steal valuable intellectual property, such as customer lists, proprietary software, formulas, strategic business plans and financial data. These intangible assets may be sold or used by competitors to gain market share or competitive advantage.
Auditing cyber risks
No organization, large or small, is immune to cyberattacks. As the frequency and severity of data breaches continue to increase, cybersecurity has become a critical part of the audit risk assessment.
Audit firms provide varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a breach that happened during the period under audit or during audit fieldwork.
We can help
Contact us to discuss your organization’s vulnerabilities and the effectiveness of its existing controls over sensitive data. Additionally, if your company’s data is hacked, we can help you understand what happened, estimate and disclose the costs, and fortify your defenses going forward.
© 2024
TopLine Content Marketing Team