If you had a breach of your most sensitive data tomorrow, how much would it cost you? There are quite a few studies that provide data on the costs of data breaches. These usually provide a per-record cost that organizations can use to project the cost of a breach. For example, Ponemon Institute’s Seventh Annual U.S. Cost of a data breach showed the cost per record to be $194 and the average cost per breach $5.5 million. This per-record cost includes many other variables but if your breach is on the small or large side, this number may not be very accurate. It also assumes certain types of common records but some breaches include trade secrets, financial documents or business memos that are not commonly included in such estimates.
Accurate projections rely on more variables than just number of records. What type of records would be breached? Social security numbers, credit card numbers, health records, financial documents or business plans? Would there be regulatory sanctions such as FTC fines? These are the questions that leave many business leaders and risk managers guessing and yet they are questions that desperately need to be answered.
In the end, decision makers really have no idea what a data breach will cost them. In research conducted by CipherCloud, it was found that 68 percent of decision makers could not estimate data breach losses. It is difficult for businesses to determine, then, how much should be allocated to the security controls mean to prevent a breach if knowledge of how much a breach will cost is not understood. You can address this by performing a risk assessment. If internal risk management or information security professionals are available, they will be familiar with the process. Otherwise, a professional information security consultant can perform this. They will ask questions about the type of data stored on organizational information systems and the security controls in place and help you determine the dollar value of a breach. After that, you can implement security controls to help prevent the breach and reduce the risk to an acceptable level.