I tell you; I yearn for the days to come when I turn on the news at night there will be some good news to hear.  I live in the Chicago area, and everyday there are shootings, riots, protests, etc.  Then of course there is the usual talk about COVID19, blah, blah, blah, etc.  Is this a sign of the times?  I sincerely hope not!!! 

So to get away from all of this, I usually drown myself in the Cyber news headlines every day and bring out to you the news headlines that I think are the most relevant and useful to you. 

But even here, the news headlines are not too happy either, as many of them are about this company being hacked into, this amount of data record sets being hijacked, Social Media breaches, the banning of Huawei and Tik Tok, etc. 

The only good news that I have come across of late is that there still a good amount of VC funding that is still taking place, especially for those Cybersecurity companies that are in the startup phase.

But the common denominator here in the Cyber world is something being stolen.  The interesting thing is that a bulk of the news stories do not mention anything about the true dollar cost of that particular security breach that has transpired.  In fact, this is a topic that nobody even really touches upon.  Why is this so? 

There could be a number of reasons, but most likely the number one is that businesses in Corporate America simply do not want to disclose any kind of information like this, just for the sheer fact that it could cause irreparable damage to their brand reputation, which is of course, understandable.  But still, we need to get a good grasp from somewhere as to how much a true security does indeed cost, at least on a macro level.

Well, this is where the recent study conducted by both IBM and the Ponemon Institute has some answers to this burning question.  In a joint effort, they conducted and exhaustive study across 524+ businesses around the world, from a time period of August 2019 to April 2020. 

But it should be noted that only those companies that had a security breach which involved the theft of 3,400 and 99,730 Personal Identifiable Information (PII) datasets were closely audited and examined.

This full report can be downloaded at this link:


Here are some of the key findings of their study:

*The overall cost of a security breach to the companies that were examined were right at about $8.64 million on average;

*The average cost of a security breach in the United States was pegged at an average of $8.64 million on average;

*The healthcare sector was the most impacted, with an average of $7.13 million per each security breach that they faced;

*The average cost of a stolen PII is at $170.00 per record in the United States.

But believe it or not, although these numbers are no doubt grave, this is actually an improvement from the previous year.  For example, the average cost of a security breach in 2018 was pegged at a staggering $3.92 million. 

But it is important to note that these costs just mentioned are not just the direct cost of impact and downtime.  There are other factors at play here, which the study took into further consideration as well.  These are as follows:

*The total costs of the investigative process, especially conducting the Forensics study to gather latent evidence;

*The total costs that are associated with conducting an audit of the entire IT/Network Infrastructure of the company that was impacted;

*The total costs involved in notifying about the security breach to key stakeholders;

*The total costs of other ancillary expenses, such as legal fees, providing free credit monitoring services to customers, etc.

Here are some other interesting stats discovered by the survey:

*Those companies that deployed too many security tools have cost that was $292,000 higher than the average;

*The lack of fully Cybersecurity staff increased the average cost to $257,429.00;

*Failure to come into compliance with the GDPR and the CCPA added on yet on another whopping $255, 626.00 to the overall cost of a security breach.

But, to those companies that had a more proactive approach to their security model actually witnessed a total decrease in the average cost of a security breach.  For example:

*Those that actually had an Incident Response (IR) Plan and a Business Continuity (BC) Plan and rehearsed them saw their total bill go down by about $280,000.00;

*Those that did Penetration Testing exercises saw a decrease of $243, 185.00;

*The companies that had mandatory Cybersecurity Training programs saw their cost go down on average about 238,019.00.

My Thoughts On This

Well, now we know what the average cost of a security breach is from, a leading and rather authoritative source might I add.  I actually find it surprising that the United States would be ranked up at the top. 

But is not surprising to see the healthcare industry being impacted as much as it is, because they literally have a treasure trove of PII datasets that can be worth millions if sold on the Dark Web.  But there are two things that I want to elaborate on from what I have seen on this study.

First, is the interesting stat about those businesses that have too many security tools in their arsenal.  Yes, it is only human nature to think that the more you have, the better.  In other words, there is “Safety In Numbers”.  But this is far from the truth. As I have written about many times before, having more is not better.  In fact, it is worst.  The primary reason for this is that it simply increases the attack surface for the Cyberattacker.

Therefore, I think that the CIOs as well as the CISOs in Corporate America are now starting to realize that it is far important to spend on less tools but make them more effective if they are placed in their most strategic places.  In other words, instead of deploying ten firewalls, just perhaps only deploy three of them so that they can be used most effectively.  But this of course, can only be done with an exhaustive Risk Analysis.

Also, by having less security tools at hand, it means that your IT Security team will also have less to triage through, thus alleviating the problem they constantly face of “Alert Fatigue”.

Second, is the lack of Cybersecurity workers.  This is also an area in which I have written about before as well, it all comes down to the fact that Corporate America wants to hire only those people with tons of experience, and that have a list of certifications that can span the entire alphabet. 

But you what, there is no reason for this.  There are a tom of qualified workers out there, who want to work hard, and prove their worth.  All they need is some mentoring and more specialized training, and they will be off to the races.

And you know what?  Yes, there will be some time and expense in doing the above, but it will be far cheaper to a hire younger person that a much older professional.  Plus, with a younger crowd, they will be able to bring much more to the table in terms of ideas and innovation that what the pros can bring.  This is just my opinion.

Third, this study shows that being proactive about Cybersecurity can pay off dividends in the end.  It may not happen right away, but it will over a period of time.  I would say give it at least a year, as this was the time period for this particular study. 

You may not necessarily have to invest in all of the latest and greatest security tools, but the most important items in this regard are both the IR and BC Plans.  Not only should they be rehearsed on a regular basis, but they should also be updated with the lessons learned from it as well.

These kinds of plans are even more crucial than before, given how the proverbial Remote Workforce will be here with us for a long time to come yet.  You also need to have a dedicated IR Team in your company. 

There is no need to hire and external third party to do this, you can make your employees the IR Team.  For example, those companies that have this component witnessed a decrease in cost of almost $2 million versus those companies that did not have a dedicated IR Team.