Cyber incidents cost less than often cited, report finds
- After observing a unique dataset of over 12,000 cyber incidents recorded between 2004 and 2015, a report from the Journal of Cybersecurity found the average cost of a data breach is less than $200,000, a figure that doesn't correlate to "the millions of dollars often cited in surveys."
- Respectively, finance and insurance, healthcare and government entities suffered the highest number of reported breaches of all industries, according to the report.
- The authors also found that despite popular belief, the number of malicious incidents — as opposed to accidental ones — has not increased, remaining steady at 60% over the past decade.
Cybersecurity and the best practices to protect data has been on the Obama Administration's radar for a while now. In 2013, the president signed an executive order to help secure critical national infrastructure from cyber data breaches and subsequently created the National Institute for Standards and Technology. In February this year, he even requested $19 billion to support a "broad-based cybersecurity strategy."
Though the administration has taken steps to develop standards around cybersecurity, NIST's recommendations are still voluntary. The recent report sought to understand whether firms have incentives to adopt cybersecurity standards, given the costs and causes of data breaches.
After observing data from 12,000 cybersecurity incidents the authors found costs of cyber incidents to be much lower than the public tends to believe, particularly when compared to "bad debts and fraud" in other industries.
"The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events," according to the report.
The data shows that cyber incidents cost firms only 0.4% of their annual revenues, much lower than retail shrinkage (1.3%), online fraud (0.9%), and overall rates of corruption, financial misstatements and billing fraud.
In answering how much a firm ought to spend on IT security the report shows that half of cyber events cost a firm an amount approximately equal to its annual investment in IT security. However, the writers don't offer a definite answer on whether a firm ought to be investing it's entire budget on cybersecurity initiatives.
"On one hand, an executive who is skeptical of security investments may believe that unless a firm incurs a breach every year, it is wasting its IT security investment every year it does not suffer a breach," according to the report. "Alternatively, it may imply that a firm can expect to lose the equivalent of its IT security budget each time it suffers a data breach or security incident."
- Journal of Cybersecurity Examining the costs and causes of cyber incidents
Follow Shalina Chatlani on Twitter