How much would a data breach cost my company?
Do you know how much a data breach would cost your company? Can you even guess whether it is on the order of thousands or hundreds of thousands of dollars? As the founder of a new small business, I asked myself this question. Using online data breach calculators, I got widely different answers. For my tiny startup, I calculated my costs using two methods and found a data breach would cost between $22,500 and $400,000. Both would be devastating for my company, but it’s hard to make decisions with such a wide range of values.
My company’s risk. The data we have is not sensitive or valuable. We do not have much personal information about clients and customers, and we don’t have any SPII. We (including our email newsletter provider) probably have less than 100 unique people’s data, and we make every decision with a privacy and security focus trying to minimize data collected, get consent, and use best security practices. However, this business focuses on privacy and security. That paints a target around our company for unethical hackers who may want to prove something.
Estimating the cost of a data breach.
The calculator at https://www.at-bay.com/cyber-risk-calculators/ estimated that a data breach would still cost my business between $300,000-$400,000. The calculator provided some explanations and allowed me to compare costs for different variables. For example, the total cost was a lot higher if the data breach was caused by employee error as opposed to a malicious attack.
However, the calculator seemed high, so I tried a simpler heuristic. A 2017 study found, “data breaches cost companies an average of $225 per compromised record.” (Ponemon.org, The cost of data breaches) In that case, a data breach involving 100 contacts would cost $22,500. While this method is simpler, it is hard to include any mitigating factors.
Based on the different reports, I created a simple but customized way to estimate the cost of a data breach. I added recommended values based on the resources cited at the end of this article and then created an educated guesstimate for my company. Feel free to copy and paste this table, and fill in estimates for your own company.
The total estimate for my company was $48,100, but this was based on wild guesses of the litigation and ransom costs. Cyber insurance would likely cover some part of this, so the costs may be lower after that is considered. There were a number of fixed costs that were independent of how much data we had.
Cost of a data Breach
Reputation Harm: Unplanned loss of customers and business
5% drop in annual revenue
5% of potential revenue
Cost to identify and contain: Engineering work
Reports estimate on average 200+ days to identify and contain; estimate how much time your team or contractors will spend exclusively on this instead of other projects.
My IT system is simple and I’ve prepared for this.
Cost to contain: public relations and leadership work
Companies with incident response teams and DPOs typically see lower costs here.
This is just me, I’m a solopreneur.
GDPR regulation fines
Up to 4% of last year's turnover
No turnover last year.
According to a 2020 report by Sophos, ransomware attack remediation efforts on average cost US$732,500 when a ransom is not paid, and US $1,448,458 when a ransom is paid.
I'm not sure. I'm making a low estimate.
Will the insurance company charge you more?
Prevention: New tech investment (upgrade/replace)
Depends on what you need.
Likely change newsletter provider or website host.
Cleanup: cost to notify victims
Between cents (send emails) and hundreds of dollars (offering identity monitoring)
Prevention: Cost to implement new processes or hires
Skilled privacy & security engineer salaries are typically $100,000-200,000/year
To improve my knowledge
Overall, the answer is: it would cost too much. However, the real value of this table was forcing me to think through a bunch of different response and prevention scenarios. What can we do now to prevent a data breach?
To focus on prevention, this business will continue to:
- Enable 2-factor authentication where possible.
- Minimize the data we collect.
- Purchase cyber insurance.
My recommended values are based on these reports: