What’s the average cost of a cybersecurity data breach?



This is a question that I’m often asked in my Vistage workshop on cybersecurity and GDPR, and the reality is that it’s a figure that most people underestimate.

Accenture report that the cost for an Enterprise is somewhere between £600,000 and £1,115,000 but according to the Cyber Intelligence Research Group, 70% of all cyber-attacks are aimed at small businesses who typically have less security in place than their corporate counterparts (and are therefore easier targets). The UK Government’s figures report the average cost of a data breach for an SME at £310,000 per incident.

It’s interesting by comparison that in a recent Experian survey, they found that SME business owners estimated the cost to be circa £180,000 which is a big difference. I think one of the issues with sizing the expense of a data breach is that it depends what costs are being measured.

What is known, is that all the different reports are showing 100% ongoing annual increases in their figures, which is a major issue for the board of any sized business.

I’m also clear that the costs are only going to increase and in my experience businesses of all sizes are ill prepared for this.

Spear Phishing aimed at the board (otherwise known as Whaling or CEO Cybercrime) is rife. There is a successful attack every 15 minutes in the UK. This shows that current levels of cyber awareness within businesses are inadequate. The GDPR regulations which became law in May 2018 brought with them the expectation that staff are regularly and effectively educated, and it is something that the Information Commissioner expects to see as a sign that the organisation is taking the security of their client’s data seriously.

Cifa’s annual report Fraudscape released in April 2018 showed that identity fraud is rising and 80% of all fraudulent applications are made on-line. Someone has their identity stolen online every 3 seconds!

This increased level of online crime and growth in data breaches will attract fines from the ICO under GDPR and this will only increase the costs to SME’s.

According to insurers Zurich over 875,000 small, and medium sized businesses across the UK suffered a cyber-attack in the last 12 months and whilst many had claims of more than £50,000, the average SME is only spending £1,000 per year on cyber defences. Obviously, there is a mismatch here and I am hopeful that the GDPR regulations will force businesses to revaluate the importance of getting these defences and the education around this, proportionate to the very real risk.

A study in 2017 by Oxford Economics found that public companies’ shares fell an average of 1.8% on a permanent basis follow a serious breach and Lloyds of London claimed that a major cyberattack such as Wannacry that infamously crippled the NHS, could trigger average economic losses of £41bn which is akin to that of a natural disaster.

Cyber-attacks or data-breaches can impact sales, customer relations, market reputation and ultimately a business’s bottom line. These are all intangible costs in addition to the very real costs of legal services, regulatory fines, cyber consultants, new hardware software, training etc.

If you lived in a nice house in a high crime area you wouldn’t question investing in appropriate security and relevant insurance, many don’t do that until after their first break-in when it’s too late. When it comes to your business and to cybersecurity I urge you to give appropriate consideration and proportionate budget to the very real risk that you cannot avoid in today’s connected world.

Rob May is a cybersecurity expert. He is a Vistage Speaker, the Ambassador for Cybersecurity for the Institute of Directors in the South of England. He is Managing Director of IT Service Provider ramsac ltd; a successful TEDx speaker, published author and international keynote speaker on the subject.

More from Vistage:

New Call-to-action