With the release in June 2017 of the newest IBM “Cost of Data Breach Study,” conducted by Ponemon Institute, the web is buzzing with discussions of what a breach costs. As a result, now is a good time to provide a more nuanced analysis of this report through an examination of the assertions of a variety of recent breach cost reports that attempt to answer similar questions.
If you’re like me, a few things stand out with this set of reports:
The goal is not to chastise these reports for attempting to answer the questions about what a breach generally costs. Instead, it’s to emphasize that the cost of a breach is a highly dynamic figure that should be rooted in the risk profile of your organization. For any given organization, the question, "What is the average cost of a breach?" is far less valuable than questions such as:
These types of questions can be difficult to answer and will require constant re-evaluation because of the changing landscape of the business as well as the evolution of cyberthreats. That said, a functional understanding of cost factors can greatly increase the effectiveness of your cybersecurity program.
All organizations should consider performing cross-departmental analyses of such costs to tune cybersecurity budgets and spending accordingly. Key players would likely include finance, IT operations, revenue-generation business units, compliance, customer service, and, of course, risk management. Additionally, this analysis doesn’t necessarily need to be built from scratch, and it could leverage similar analyses such as a business impact analysis (BIA) or true downtime cost (TDC) analysis. Incident or breach cost analysis should also be baked into post-mortem reviews to continue to refine cost models.
The more your organization is able to reduce the uncertainty of cost due to a breach, the more the board, investors, and business partners will be able to see that you are taking a measured approach to keeping your data and business secure.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.