Skip to main content
Northwestern University
image of fingers on keyboardleft

The Costs of a Breach

It is difficult to quantify the true cost of a data breach; the numbers vary by industry, individual, and regulation. In 2020, however, 3,200 individuals from 524 breached organizations across 17 countries/regions, and 17 industries were interviewed. These results were published in an annual report from the Ponemon Institute.

The good news for the Education sector is that the average total cost of a breach went down 20.2% in 2019-2020, compared to the previous year. Nevertheless, the cost of a breach remains significant and averages institutions millions in losses.

Some of the report’s key findings indicate that:

The report also breaks down the breaches by root cause: malicious attacks (52%), system glitches (23%), and human error (23%).

Elapsed Time Matters

In previous years, research has shown that the faster the data breach is identified and contained, the lower the costs. The following metrics can be used to determine the effectiveness of an organization’s incident response and containment processes:

If you suspect that your computing device WAS compromised, please report it as soon as possible to our Information Security Office.

The consequences of a data breach can remain for years. In last year’s study, the Ponemon Institute examined how organizations might be impacted by data breach costs over a span of two or more years. The analysis showed that costs were greatest in the first year after a breach but tended to increase again after two years.

data about average time and costs of breaches
From Ponemon Institute's "Cost of a Data Breach Report"
 
Costs of a Malware/Ransomware Breach

Throughout my years of providing desktop support, I found that a security breach of an individual device usually takes an average of 72 hours of downtime. This includes diagnostics, reformatting a computer to bring it back to working condition, and data recovery.

If you have regulated data that is compromised, you will have to account for each individual record. The fines vary by institution, but the average fine is $1000 per individual record compromised.

COST OF A MALWARE BREACH =
Your time + My time + Technician’s time + Fines x (number of records compromised) x number of devices compromised + Reputational Damage
Costs of a Social Engineering Breach

Social Engineering is perhaps the most complicated data breach to mitigate. Depending on each case, you might end up disputing claims with different organizations.

COST OF A SOCIAL ENGINEERING BREACH =
Your time + Diagnostics time + Amount Stolen 
Costs of Equipment Failure

How frustrating it is when a computer/device stops working all of a sudden! The hard disk crashed, a USB Key no longer works, the computer died… Luckily, you had a data recovery plan in place because you were proactive. Known backups exist, and data can be recovered either from an external backup drive or a cloud backup account.  The only worry is cost and time to replace the damaged equipment.

If a data recovery plan is non-existent, it can be a lengthy and painful process—your data may not be recoverable. Research, theses, photographs, videos, audio all gone in a split second.

Data recovery is not cheap! Anecdotally, from an incident in 2017, data recovery from one 4GB USB Memory drive ended up costing $1400, with a turnaround response of one week. The prices increases if you want a faster turnaround response, and it’s not 100% certain that you will get all data recovered.

Costs of Software Failure

Software failure, or misconfiguration, is another costly recovery process.

Do you host a database on a server? Do you have a website running JavaScript, PHP or other code? Do you ensure that your code is in tip-top order? Are your firewall rules actively doing what they are supposed to do? Did you know that having unsecured, out-of-date code can leave you vulnerable to targeted attacks? Malicious actors are always scanning for vulnerabilities, and open (vulnerable) database/web servers are the most targeted and easiest way to steal data.

The costs of server software misconfigurations are not only that your website might be defaced, but also that your data records might be stolen. This has happened to Facebook, Yahoo, and Experian. Imagine the reputational damage, the financial costs of fixing issues with your code, and the cost of hefty fines if the records exposed are PII or HIPAA regulated.

And then there are the outdated software applications. Examples are an outdated Operating System— MacOS, Windows, Linux—an outdated web browser, MS Office, or even Adobe products. If these applications are outdated, devices (even mobile devices) are more prone to a localized breach.

If you participate in the use of CrashPlan PRO for Northwestern University, you can learn how to check if your backup is in an optimal state; you can also learn how to restore files.

Costs of Physical Theft

Physical theft is perhaps the most obvious event that makes one panic and think consciously about data security. Do you know what to do (besides calling the police) if your computer is lost or stolen? 

Such an event is a great use case for the University Security and Management Systems, such as KACE and Jamf. Our University IT units have the capability of locking your computer, erasing data, and even potentially locating your device—if, and only if, your computer was configured using the University Management Systems. These tools help us protect your identity. They assist us in collaborating with the authorities and allow us to prevent direct access to your data.

Data privacy and security concerns will only increase year after year. Institutions are improving ways to mitigate data breaches and malware attacks with limited budgets and personnel. But in the end, even the most expensive and well configured tools will not prevent an individual from (unsuspectingly) opening the door to a criminal organization. The risks are even higher with the increase of work-from-home environments.

How much would a data breach cost you?

cyber safety tips for travelers

Back to top