Information security in loss figures

We surveyed almost 5,000 business decision-makers willing to share their thoughts on cybersecurity and their firms’ attitudes about cyberthreats.

To budget for information security, companies need to consider factors such as average potential losses, preferably by incident type, as well as other businesses’ average outlays on security. Precise data on such questions do not get published, and that’s one reason we conduct an annual survey of employees who make business decisions related to IT security for a variety of companies. And now we are ready to share results of our 2019 survey.

Financial implications

Compared with the results of last year’s survey, enterprise businesses’ losses have increased. Where previously an incident cost them an average of $1.23 million, now the average loss is $1.41 million. This growth is partly a result of companies now spending more on third-party experts and PR drives aimed at softening the blow to the firm’s image.

It is likely that spending on PR has increased because of an overall tightening of laws requiring companies to publicly report incidents. This is particularly relevant in the case of data leaks. Today, current and potential clients or partners are certain to find out about incidents, and they worry about their data potentially falling into cybercriminals’ hands. The issue is not limited to large companies: According to respondents, 36% of enterprises and 31% of small businesses ran into PR problems as a result of leaks.

Interestingly,  the small business segment has experienced a reverse of that trend, with the average cost of an incident falling from $120,000 to $108,000, with outlays for compensation as well as security tools, both software and infrastructural, decreasing.

You’ll find a detailed breakdown of specific items of corporate financial loss as a result of cyberincidents in the full report, available for download below.

Incident causes

In the eyes of our respondents, irrespective of company size, the problem is most often rooted in employees’ misuse of IT resources, and infection of company devices with malware. Of course, those broad categories cover a great variety of cases, but, for example, the common situation of an employee clicking a link in an e-mail and installing malware fits both of the above.

The other incident scenarios that both SMBs and enterprises most often face are covered in the full report. In addition, it reveals how having (or not having) a full-time data protection officer (DPO) and an internal cyberincident response center can affect losses, plus lots of other interesting information.

To download the report, please fill out the form below.