Businesses pay an average of $550K to recover after a data breach

By Erin Ayers on September 20, 2015

kasperskyA new report from Kaspersky and B2B International found that organizations pay an average of $551,000 to recover after a data breach and 90 percent of businesses surveyed have experienced a security incident of some kind.

The Corporate IT Security Risks Survey evaluated over 5,500 in 26 countries around the world, with managers and IT professionals surveyed on threats, infrastructure, and the measures they take to prevent breaches.

Of all types of security events, the highest cost could be attributed to a failure of third-party providers, well above all other types of events. Fraud by employees ranked second, followed by cyber espionage.

Of the 90 percent of businesses that experienced a breach, 46 percent said they lost sensitive data as a result. While larger enterprises pay an average of $551,000, small and mid-sized businesses pay an average of $38,000 in direct costs to recover from a security event. Kaspersky found that indirect costs for organizations add another $69,000 on average. SMBs may see an average of $8,000 in indirect costs.

Survey respondents reported that the three main consequences of breaches are loss of access to business-critical information; reputational damage; temporary loss of ability to conduct business or trade. Increased insurance premiums can also be a consequence.

“It’s not an easy task to estimate how much a business will lose as a result of a security breach. Figuring out a typical loss is even more complicated. Businesses are cautious of sharing such data, and sometimes they struggle to discern direct financial damage from indirect expenses, also caused by a cyber attack,” Kaspersky said. “We asked companies what type of losses they experienced as a result of a security breach and the budget spent on each major type of loss or expense. Using this data, we estimated a probability of a certain type of loss and calculated a corresponding average expense. Applying the weight of probability we finally calculated an average loss for small and medium businesses (under 1,500 seats) and enterprises (1,500 seats and more).”

In addition, Kaspersky attempted to estimate the financial cost of loss of reputational damage.

“The value of a brand and corresponding damage are very hard to calculate, but we decided to give it a shot. We have combined consultancy expenses, lost opportunities due to damaged corporate image and spend on marketing and PR activities aimed at reducing the impact to reputation. The average losses for this particular type of damage are $8,653 for SMBs and $204,750 for enteprises,” said Kaspersky.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].