Home > Risk > How great is your cyber risk?

How great is your cyber risk?

September 16, 2021 Leave a comment Go to comments

Recently, I read a piece directed at CFOs. The question was asked, “You may have a cyber breach that costs $25 million. Don’t you think it’s prudent to invest $1 million to prevent it?”

This is the state of the hyper-active consultants.

Let’s examine the question.

First, each of us needs to understand the potential cost of a breach in our organization. Not what others have reported, the extremes, but what applies in our specific facts and circumstances. We need a careful business impact analysis.

Then we need to understand the likelihood of a breach that would have a significant effect. It’s not the likelihood of a breach that we need to be concerned with. It’s the likelihood of a breach with an unacceptable impact on the business.

As I explained with examples in Making Business Sense of Technology Risk, a breach can have a small effect, a moderate effect, or a significant one. There is a range of potential effects, from graffiti on a web site to the loss of essential intellectual property. Each point in that range has its own likelihood.

While we may be concerned with multiple breaches of low impact, most of us are focused on the likelihood of a breach that would disrupt or cost us more than we can tolerate – making it more difficult to achieve our enterprise objectives.


Fortunately, we have some very useful information from IBM. For several years, they have sponsored research into the cost of a breach by the Ponemon Institute. Their latest report is Cost of a Data Breach Report 2021. Here are some key points in this informative publication. I have highlighted key language.

  • Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.
  • The average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor. The percentage of companies where remote work was a factor in the breach was 17.5%. Additionally, organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely. IT changes such as cloud migration and remote work increased costs, yet organizations that did not implement any digital transformation changes as a result of COVID-19 experienced $750,000 higher costs compared to the global average, a difference of 16.6%.
  • Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Costs varied widely across industries, and year over year. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021. Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million.
  • Lost business represented 38% of the overall average and increased slightly from $1.52 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
  • Customer personally identifiable information (PII) was the most common type of record lost, included in 44% of breaches.
  • Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in the previous report.
  • The average cost of a breach was $5.04 million for those without zero trust deployed. Yet in the mature stage of zero trust deployment, the average cost of a breach was $3.28 million, $1.76 million less than organizations without zero trust, representing a 2.3% difference
  • Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation. The difference of $3.81 million, or nearly 80%, represents the largest gap in the study when comparing breaches with vs. without a particular cost factor. The share of organizations with fully or partially deployed security AI and automation was 65% in 2021 vs. 59% in 2020, a 6 percentage point increase and continuing an upward trend. Security AI/automation was associated with a faster time to identify and contain the breach.
  • Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million. The percentage of companies where ransomware was a factor in the breach was 7.8%.

Going back to that initial question by the consultant, where did this $25 million number come from, when the average cost of a breach is a fraction of that figure?

Even after performing a business impact analysis and understanding the range of potential effects from a breach, there are additional questions that should be asked when evaluating cyber risk, including:

  • How much can either the potential (range of) impacts be reduced through additional investment in either/or prevention or response?
  • How much can the likelihood of an unacceptable breach be reduced?
  • Will the investment result in an acceptable level of risk? (This is critical.)
  • What is the level and type of investment that makes the most business sense?
  • Are there other actions I can and should take? For example, should I exit a business that represents excessive risk?


I am not saying that cyber is not a serious issue. I am saying that we should take the consultants’ pitches with a huge bucket of salt. I am saying that we should determine our level (range) of cyber risk in our specific organization, given our specific facts and circumstances.


I welcome your comments.

  1. Mike Corcoran
    September 16, 2021 at 1:30 PM

    Thanks Norman! Good perspective as good as the study reflects the real truth. Most likely way understated.

  1. September 16, 2021 at 10:40 AM
  2. September 19, 2021 at 9:47 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: