Companies that focus on the immediate breach remediation costs may be missing the big picture, and could be under-investing in security as a result.
Several studies have come out recently trying to get a handle on the total costs of a data breach, with a large variation in costs - from less than $1 million on average, to $6 million - based on the data sets and types of included costs.
But the actual numbers could be several times higher.
Take the Yahoo breach, for example, which could lead to a $1 billion drop in the company's value.
Last month, Yahoo revealed that 500,000 million accounts were hacked in 2014, shortly after Verizon agreed to buy the company for $4.8 billion. Now, Verizon is reportedly asking for a $1 billion discount.
"This demonstrates firsthand the significant destruction of value that can result from a massive breach," said John Gunn, spokesman at VASCO Data Security.
In fact, the total value can be even higher, said Michael Lipinski, CISO and chief security strategist at Securonix.
"The lawsuits alone against Yahoo may be substantial," he said. "It’s possible that the Yahoo value falls even more than the $1 billion number reported on today. With the substantial financial risk overshadowing Yahoo and lack of another suitor stepping up with a competitive offer, I would anticipate Verizon getting even more aggressive with the negotiations.”
Michael Lipinski, CISO and chief security strategist at Securonix
Companies typically underestimate the total costs of a breach dramatically, according to a recent report by Deloitte Advisory Cyber Risk Services.
In an in-depth analysis of two scenarios, researchers found that between 75 and 95 percent of the total costs of the breach were "hidden" costs that were not immediately apparent.
Of course, every situation is unique, said John Gelinne, managing director of Deloitte Advisory Cyber Risk Services at Deloitte & Touche.
"Companies operate in different threat environments," he said. "It's not a one-size-fits all."
According to Deloitte, typical "above the surface" breach-related expenses include such items as post-breach consumer protection, cybersecurity improvements, customer breach notification, legal costs and fines, public relations, and forensic investigations.
But those are just the immediate, obvious costs. The total impact includes such items as lost revenues and lost customer relationships, brand devaluation, increased cost to raise debt, higher insurance premiums, operational disruptions, and the loss of intellectual property.
In the two scenarios analyzed, the total cost of the breach went from $59 million to $1,679 million and from $26 million to $3,258 million when those other factors were considered for the five-year period immediately after the incident.
"We think that if you can describe the impact based on your company's specific, plausible scenario and you can model your impact more accurately, that that will help guide your investment accordingly," Gelinne said.
That means that CSOs need to learn to look at the bigger picture and work with business teams to evaluate the total potential impact of cybersecurity incidents, in order to better understand which assets need the most protection.
"The budgets will never be big enough if the goal is to prevent every possible incident," he said. "Our modeling technique is adding more information to make better decisions on how to invest."
Why cost estimates vary
Three recent studies put the cost of a breach at $170,000, $861,000 and $4 million. That's already a wide range, but far below what Deloitte is suggesting.
Why the disparity?
Research typically focuses on data breaches that involve losses such as account credentials, credit card numbers, and health care information.
"Largely, studies deal primarily with what is publicly reported," Gelinne said. "The theft of personally identifiable information, personal health information -- these are widely understood. But there are other types of scenarios that may not be considered in the calculations."
Then, studies vary in their choice of what size incidents to consider, which specific costs to look at, and how those costs are calculated.
For example, last month Kaspersky estimated that the average security incident cost enterprises $861,000, based on cost estimates provided by the companies themselves, rather than a third-party analysis.
In addition, the Kaspersky report focuses specifically on breach recovery costs, with personnel-related costs accounting for 53 percent of the total and improving software and infrastructure accounting for another 14 percent.
"We also included expenses that may occur after the incident has been remediated, such as staff training and new headcount, should it be triggered by the incident," said Michael Canavan, vice president, Kaspersky Lab North America at Kaspersky Lab ZAO
The estimates also included the cost of damage to credit ratings, higher insurance premiums, and lost business, but not many of the other common breach-related expenses such as notification and legal costs, nor some of the other indirect expenses considered by Deloitte or other researchers.
Another disparity is whether a typical breach cost should be the average for all incidents, or the median.
The median cost of a breach is $170,000 -- but the average cost is $5.9 million, says a report released this Monday.
The median number is more useful, said study author Sasha Romanosky, policy researcher at Rand Corp.
The average cost is skewed upwards, he said, due to a few extremely large breaches such as Target.
"The reality is that most breaches just aren’t of this magnitude," he said. "And so the median is more reflective of the overall costs."
In his study, reputation costs of loss of brand value were not included in the total, he said. "How would you measure loss of brand, anyhow?"
Another recent breach costs report, produced by the Ponemon Institute and IBM this summer, puts the average cost of a breach at $4 million, up from $3.79 million last year.
The average cost is a little lower than that of the Rand study because the mega-breaches were deliberately excluded from the sample, said Larry Ponemon, chairman and founder at Ponemon Institute.
"You want to have enough observations and right now there aren't enough to get a good model," he said.
Ponemon considers both the direct and indirect costs of a data breach. Direct costs include hiring forensic experts and victim identity protection services. Indirect costs include the time employees spend resolving the breach, but also the loss of goodwill and customer churn.
However, Ponemon doesn't consider all the indirect costs that Deloitte does, and also focuses specifically on lost data records such as credit card numbers and not on other types of losses.
Why the numbers matter
The breach cost estimates affect the cost-benefit calculation of companies looking at their security budgets.
"Firms lack incentives to invest in security as much as many people would like," said Rand's Romanosky.
Companies need to look at more than the immediate remediation costs and technology costs when considering the total impact of a breach, and should involve participants from throughout the organization when analyzing the risk.
"Breaches have an immediate cost related to incidence response and forensic but it is minimal compared to the long terms costs related to brand trust and organizational security restructuring costs," said Julien Bellanger, co-founder & CEO at Los Angeles-based Prevoty. "It seems that Verizon understands that and is pricing the long term cost of the Yahoo hack at what should be a wake-up call for enterprises underinvesting in security."