Determining the cost of a data breach remains difficult

Businesses have long bemoaned the amount of money it's necessary to spend on security systems, but the recent Sony breach has shown that the negative effects of an attack can be so wide-reaching that they're nearly incalculable.

It can be tempting for businesses to opt for immediate savings by cutting security costs, instead of investing money into a system with benefits that are not immediate or necessarily visible. That's why it's crucial for CEOs to take into account the likely financial loss that would result from a breach. It would be extremely reasonable, for example, to spend $10 million on security if a data breach to your company would cost $100 million. Although the exact cost of an attack is impossible to guess, it's well worth the time to pin down approximate numbers so that it's clear how much you should be investing.

When estimating the costs of a breach, the Ponemon Institute recommends including the cost of hiring a team of forensics experts to conduct an investigation as well as the costs associated with hotline support, customer notification and free credit monitoring services for affected customers.

The Ponemon Institute's 2014 Cost of Data Breach Study found that the average U.S. company loses $5.85 million as a result of a data breach.

However, a truly large-scale breach such as the one at Sony will include other costs as well, such as the restructuring of the business' entire IT network. According to analysts at Macquarie Research, this could cost Sony up to $83 million.

There are also the costs of legal fees to fight lawsuits brought against the company's loss of private employee data, as well as the cost of business lost during the crisis. For example, eSecurity Planet reported that Sony was forced to pause the production of several films during the height of the security breach.

Other, intangible losses also have to be taken into account to receive a full picture of a breach's impact. For example, Target experienced a major backlash after its 2013 breach, because customers lost faith in the company's ability to protect their payment card information. It's taken the company many months to regain consumer trust and resume its former position in the marketplace.

In the case of Sony, embarrassing, politically incorrect leaked emails caused a change in how the public perceives the company and the company's executives, leaving consumers with a feeling that Sony is unprofessional and was sloppy with its security measures.

Sony's CEO, Kazuo Hirai, has stated that he doesn't believe the company will be financially affected this year as a result of the cyber-attack. Other security experts, however, disagree with this assessment.

"As CEO, Kazuo Hirai is in the best position to judge whether the financial results for this year will be unaffected by the recent security breach," one security expert told "However, it is more likely that the non-tangible effects of the breach could impact against the next year's financial result via the loss of consumer confidence, and increased defensive spending overhead."

If you run a small business, then you probably won't ever have to face a security breach of the scale that Sony has experienced. However, cyber-attacks affect local businesses as well, so it's crucial that you make sure your employees are using secure credit card payment software. It's part of your job to protect your customers' payment information from potential thieves, so take this time to upgrade your security. It's always more cost-effective to spend on defensive measures than to spend money cleaning up the mess from a breach.

Scroll to Top