Calculating the Cost of a Databreach

Estimating the cost of data breaches.

UK government studies aim to identify the financial costs of dealing with a data breach.

The full financial costs of a data breach are not easy to work out.  Consider the simple example of a ransomware attack.  If the ransom is promptly paid the affected network should be swiftly back in action with negligible loss of working time.  Even here the cost is not simply the ransom paid.  The system is known to be vulnerable and could suffer a subsequent similar attack if funds are not allocated to discover the source of the original breach and methods put in place to reduce the chance of it happening again.

Having some means of quantifying data breaches allows the relative severity of attacks to be considered and anaysis made on the scale of the problem.

The UK Department for Digital, Cultural, Media and Sport undertook a survey into the cost of cyber security breaches in August 2020.  The costing tool used to evaluate these financial costs  prompts for costs within business areas that might be affected.   Costs were divided into 3 areas (note that there will be some overlap between the categories).

Immediate losses:

  • Assets stolen, ransoms paid and staff costs for those who were unable to continue with their usual work roles.
  • Costs from loss or reduction in services such as business websites being unavailable.
  • The value of data permanently lost or the cost of its recovery.
  • Lost income from a drop in competitive advantage through stolen intellectual property or other sensitive information.
  • Loss or damage to equipment.
  • Any insurance excess paid.

Legal or regulatory costs:

  • Fines for breaking data protection regulations.
  • Additional legal advice following legal action as a result of the breach.
  • Staff time costs in dealing with police and regulators.
  • Staff time costs in dealing with customers and suppliers affected by the breach.

Technical costs:

  • The costs involved in shutting down and repairing services.
  • Additional staff or consultant costs to repair the breach.
  • Putting new cyber security measures in place.
  • Increased cyber security staff and staff training costs.

A summary of 15 respondents to the survey  indicates that the question format had evolved during the survey but that it was generally useful.  The smallest loss calculated was £20 for a response to a single phishing email demanding a payment which was actioned but not eventually paid.  The highest £300,000 concerned a ransomware attack that took a network off-line for four days.   In this case the ransom was not paid.  The costs being made up of staff unable to work, damaged data and equipment together with changes being put in place to reduce the chance of a subsequent similar attack.

More recently a 2022 UK government investigation of cyber breaches  indicates that a version of the cost tool is still being used.  The information was based on a telephone survey of 1,243 UK businesses, 424 UK charities and 420 education institutions.  The results have been ‘weighted’ to ‘improve’ the statistical results.  Calculated costs are in section 5.5. For those who reported a breach or attack within the previous 12 months the mean costs of a breach were £1,200 (550 cases). Some breaches had no financial impact.  The mean cost for those breaches with a financial outlay was £4,200 (129 cases).

Except in the case of an operation forced out of business due to a data breach there will be a degree of estimation involved in predicting the cost of a data breach.  This in turn needs to be weighed against the likelihood of any attack scenario coming to fruition.  As an experienced data security consultancy Kindus can offer help and advice with predicting the cost of data loss.

More from Recovery & Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories