Data Breaches: Calculating Their Cost is a Complex Conundrum


We often talk about the risk of a data breach and how to prevent it, but one area that still offers much room for discussion is around calculating the true cost of a breach. This is by no means an exact science, but some in the industry have taken steps toward quantifying it.

In an article published on, Akamai’s Terrence O’Connor discusses the various factors including why calculating the cost is so important. It may seem obvious that an organization would want to understand the value of their assets and protect them, but when it comes to data breaches the reality is many organizations don’t have a strong sense of what’s really at stake.

O’Connor goes as far as saying, “the calculation is extremely simple”– a matter of simple addition of the costs of the assets lost. However, the fact of the matter is that it’s not so simple for the vast majority of companies, especially those in non-regulated environments where there may be no associated monetary fine for lost or stolen data.

Even O’Connor’s recommendation to consider the cost of acquiring that asset and the impact on revenue that is lost if it is stolen is subjective and varies widely depending on the asset. Plus, identifying and attaching a dollar figure to assets that are less tangible, such as reputation and trust, which hold enormous value and can take years to build, are much more challenging to factor in.

IBM has taken a crack at quantifying the potential impact of a data breach in an easy-to-use risk calculator, but it lumps together organizations with a headcount of 500 employees or less. Clearly the target market for this calculator is not small and medium size businesses (SMBs), yet they are the organizations that make up the vast majority of businesses across North America.

One thing is certain. A data breach has the potential to do major damage to organizations of any size. While strictly speaking smaller organizations have less to lose financially, they overall impact of stolen customer or competitive information is likely to be much more devastating. SMBs simply don’t have the deep pockets, insurance coverage or resources to see them through a major breach.

The good news is that email encryption and data loss prevention tools are much more scalable, affordable and effective than they once were. This is in large part because of the growth of public and private clouds and the influx of innovative software-as-a-service security solutions. Organizations of all sizes in every industry can and should be taking advantage of these products, not just those in regulated industries like healthcare, government and financial services.

And for those organizations that do have to ensure their solutions meet mandated IT security and data jurisdiction requirements, like HIPAA or FINRA, your best bet is it look for a cloud service provider (CSP) that has experience in your domain and is actively exploring and testing the new options available on the market. They are acting as your IT security broker as well as your advisor so you will want to know they are keeping abreast of the tools that are out there to find the best match for you.