IBM and the Ponemon Institute have released their new Cost of a Data Breach Report 2021, based on analysis of 537 breaches across multiple locations and industries. The results are pretty eye-opening and provide a window into the nature and scale of reputational costs — lost business following a breach — that are independent of whether the data lost was actually protected or critical.
Overall, the total cost of a data breach rose 10% over 2020 to $4.24 million. That’s the largest year-over-year increase in seven years. But it’s not evenly distributed. For example, where remote work factored into the cause of a breach, the cost was higher by over $1 million. And the healthcare industry led all others in cost for the 11th consecutive year, growing nearly 30% to $9.23 million.
There are several different types of cost that go into the total cost of a breach, but according to the report, the biggest contributor in 2021 was lost business, representing 38% of the total cost, or $1.59 million. This number includes increased customer turnover and increased cost of acquiring new business due to reputational harm, along with lost revenue due to system downtime.
Illuminate Education exemplifies this type of risk. In January 2022 the company — which provides education and assessment software to school districts across the U.S. — suffered a large data breach. New York City banned the use of their products after it was revealed that private data belonging to 820,000 students there had been taken.
The scope of the breach continues to expand, with many other students affected in districts nationwide. It seems prudent to assume that more of those districts will cut ties with Illuminate Education, with severe bottom-line effects for the company — all because of a data breach that may very well have been preventable.
Consider also the recent example in which the Oregon Secretary of State’s (SoS) reporting process was disrupted in the run-up to primary elections (discussed in detail an earlier blog post). A web hosting provider called Opus Systems suffered a severe ransomware attack and data theft. The Oregon SoS uses the campaign finance reporting system ORESTAR. Login information for ORESTAR is held in a database owned by campaign finance firm C&E Systems. And C&E Systems uses Opus Interactive for web hosting.
Despite not having been victimized itself, the Oregon SoS had to address the potential security consequences and invest in public relations efforts to reassure voters that the upcoming election was not in any way affected by the breach.
The Cost of a Data Breach Report also provides considerable insight into the mitigating effects on cost of different security strategies.
The reputational costs and potential business impacts of a data breach are clearly severe. But by implementing high-impact security solutions, you can not only reduce the chances that your organization will fall victim to a data breach, but also significantly lower the total cost in case an attacker still succeeds in breaching your data.
As you migrate to the cloud, it’s especially important to ensure that your security strategies are able to extend comprehensive protection across your entire infrastructure. Barracuda’s cloud-first solutions work together to secure email, defend networks and apps, enforce zero trust access controls, and protect data wherever it’s deployed.
By Tony Burgess
This article originally appeared on Journey Notes, the Barracuda blog.
Back