Violation costs – reputation, loss of customers, fines, business closure

According to IBM’s 2021 data breaches report, data breaches rose from $ 3.86 million to $ 4.24 million, showing the highest average total cost in the 17-year history of their report.

A new report from the Department of Culture, Media and Sport (DCMS) has revealed that data breaches have become more costly for medium and large businesses in the UK. The report shows how medium and large companies lost an average of £ 19,400 in 2021. This is an increase from 2020, when the reported figure was £ 13,400. Interestingly, when we look at companies of all sizes, the amount has dropped to £ 4,200. . This is a significant reduction of £ 8,460 in 2020.

Every year, many reports like this give an idea of ​​what is happening around us and the ever-increasing cost of data breaches and cyber attacks. They are valuable because they give us an idea of ​​the cost, the methods used and how organizations respond to growing threats. However, we must treat these reports with some caution, because they do not and cannot offer an accurate description of what is happening in our digital universe and the impact of data breaches. This is not a complaint of the researchers themselves, but rather an observation that there are too many factors that we do not take into account when calculating the size of the problem or the cost of the impact.

Although reporting the financial impact of a data breach is essential and valuable, it is too arbitrary and does not give us the actual cost of a breach, which is more difficult to quantify. Of course, this is a good statistic to take into the room and justify your cybersecurity budget, but we must also take into account the less tangible impact of the breach, as the costs and impact on business are much higher than reported. numbers.

Damage to reputation

After a violation, there are often difficult conversations that have to be held with clients, clients and employees about what happened. Phone calls, emails and press releases must be made before the breach can be understood or the financial impact calculated. With any communication there is a chance to lose a customer and increase the negative impact on the reputation of the organization.

Of course, this does not mean that organizations should obscure the event and try to avoid these conversations, as this will undoubtedly be worse for them in the long run. If an organization is open and honest about what happened, then it is likely that many (not all) of their customers, suppliers and employees will forgive. This is especially true if they have suffered at the hands of organized cybercriminals. But this is a risky strategy that you must adhere to, as patience and generosity of spirit are often insufficient when an organization discovers that it is the real victim of a successful attack.

As early as 2013, the American retailer Target was compromised by cybercriminals, which affected 41 million customers. Target discovered the breach within 16 days and revealed it to the public 20 days after the discovery, but many customers were unhappy with the time it took for the retail giant to uncover the breach.

This undoubtedly affected the price of their shares for a significant period of time. Of course, the share price of any company is a financial demonstration of the company’s reputation and reputation.

Compensation and fines

Reputation impact is what we look for most often when considering the cost of infringement, but there are other factors to consider.

Data breaches can lead to compensation claims and possibly even sanctions and fines imposed on an organization. The Office of the Information Commissioner (ICO), which is the UK’s supervisory body, monitors the management and compliance of the UK Data Protection Act and the EU GDPR. Following an infringement, an organization may need to explain to the ICO, which may then take action. No matter what form of sanction this may take, lawyers will invariably get involved and the financial impact of the violation will quickly escalate again.

But after a breach, there is an impact that is often forgotten or not discussed, which has a financial impact, but is less obvious in the first assessment.

Human impact

When a breach occurs, there is a wave of action to find out what happened and what action needs to be taken. The Incident Response Team will take action, follow its plans and work wisely to get the business going.

During the response and recovery process, there is pressure on those involved to be fully engaged and present to ensure that recovery can take place as quickly as possible. Holidays are canceled and personal commitments such as caring for children or relatives are ignored – the focus now is on surviving or rebuilding the business.

Therefore, the stress on recovery team members is significant and is often overlooked when considering who should be part of your recovery team. Being calm under pressure is the expectation of most leaders and managers. However, a data breach or cyber event is not an event that many people will encounter (thankfully) every day. Therefore, the way people react and react to a violation will vary considerably, but no matter how they react, the truth is that initially it will be a human response.

I want you to have no illusions here; When a breach occurs, your team’s first response will be “how it affects.” I Is it my fault?” This may be a fleeting thought, but it will still be there. This causes stress and anxiety as the person struggles with personal and professional responsibilities.

Not surprisingly, a recent study found that 24% of Fortune 500 Chief Information Security Officers (CISOs) last only one year in the role, with an average term of 26 months. But what about the IT team members? Or the rest of the response team? How long do you have left after an accident?

Of course, stress and anxiety can cause mental health problems, and if we have to get back on balance, productivity problems will lead to more financial losses.


The calculation of the price of the infringement rightly comes down to what we can enter in a spreadsheet, but we do not have to consider only the obvious financial consequences of the infringement. We need to look at all aspects of the infringement if we want to get closer to understanding the real costs. This means taking into account the impact on our reputation, the missed opportunity costs, the impact on productivity, increased operating costs, compensation and fines, and finally, the impact on our people.

The impact on our people is often the most difficult to calculate, as there is no clear indication of when the effect can be felt; Team members may start looking for another role as the business begins to recover and may never mention the breach as a catalyst for leaving.

The purely financial cost of an infringement may be in a spreadsheet, but the actual cost of the infringement is much deeper. This is an erosion of the trust of both internal and external stakeholders.

Therefore, the real question and calculation we need to ask and do is: What price do you put on trust?

About the author: Gary Hibbard is the “Professor of Cyberspace Communications” at Cyberfort and is a 35-year cybersecurity and data protection specialist in IT. He is a published author, regular blogger and international speaker on everything from the Dark Web to cybercrime and cyberpsychology.

You can follow Gary on Twitter here: @AgenciGary

Editor’s note: The views expressed in this guest article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

Leave a Comment

Your email address will not be published.