Cost of Cyber Attacks vs. Cost of Cybersecurity in 2021

Cost of Cyber Attacks vs. Cost of Cybersecurity in 2021

If you think cybersecurity is expensive, just wait to see what lack of cybersecurity costs. The costs of cyber attacks vs the costs of cybersecurity has been debated for years, however it is now clear which one is the clear winner. According to IBM and the Ponemon Institute’s 2020 “Cost of a Data Breach” report, it was determined that the average total cost of cybersecurity breaches in the US, between August 2019 and April 2020, was $8,640,000. 

Types of Attacks & Associated Costs

The specific costs will depend on the sophistication of the attack and how well executed it was.

For example, a DDoS (distributed denial-of-service) attack could knock systems offline for a few hours, creating a frustrated workforce and unhappy customers – but otherwise the cost would be comparatively low.

By contrast, an attacker who infects an organisation’s systems with ransomware could cripple them for days or even weeks. The cost of recovery, not to mention the ransom payment (if the organisation pays up) could result in losses in the millions.

Malicious actors don’t discriminate based on the size of an organization. The data breaches at eBay, Anthem, and Equifax might have garnered many headlines; however hackers also understand that small organizations also have smaller budgets for cybersecurity and therefore make easier targets. Multiple sources have reported that the average cost per compromised customer’s Personally Identifiable Information (PII) record was around $150 in the year 2019. This means that if only 10,000 customer records were compromised, a small business could face breach costs starting at $1,500,000. If we increase the number of breached customer records to 50,000, we are looking at costs in the neighborhood of $7,500,000.

Compliance Mandates & Fines

Apart from the costs of obtaining access to your data, there are often regulatory fines for an organization for which they may be liable. 

Compliance with mandates, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are two of the most important regulations. Explicitly written on the official GDPR website, “GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses.”

The GDPR explicitly states that some violations are more severe than others. These less severe infringements could result in a fine of up to $11,899,550 (€10,000,000) or 2% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious GDPR infringements — those going against the right to privacy and right to be forgotten — could result in a fine of up to $23,799,100 (€20,000,000) or 4% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Last year, a new set of regulations, the California Consumer Privacy Act were created. The CCPA fines are just as intimidating as GDPR. Each time a business is found to have an intentional violation, they can be fined up to $7,500. Even unintentional violations come with a price tag of $2,500. Violations can also stack up on one another. For example, if a business’s website is using third-party cookies without leveraging a cookie banner for awareness and opt-in, that organization could be committing thousands (or more) of violations per day.

Reputational Damage

According to AON’s 2019 Global Risk Management Survey, UK businesses rate brand damage and cyber attacks in the top three risks. The reality is that cyber attacks have enormous potential to damage the reputation of a business, conflating the two risks. The negative impact can be tangible – a 2019 study reported by Forbes found that a breach can lower a company’s share price by 7%. It can be hard for the organisation to regain customers’ trust, particularly if the breach was widespread or caused by basic security errors.

PricewaterhouseCoopers (PwC), an audit and assurance company that works in cybersecurity, reported that 69% of consumers surveyed believe that the companies they use are vulnerable to being hacked and attacked by cyber criminals. The same survey found that 87% of consumers are even willing to walk away and take their business elsewhere if, or when, a data breach occurs. These numbers highlight that consumers are not only skeptical of the organizations that have their critical assets, but that they are willing to leave a company who goes through a data breach. With consumers being cognizant of both of these, organizations must implement standards to protect its network from bad actors while also preserving its relationship with consumers.

Don’t Neglect Your Security Budget

While there is no one-size-fits-all answer when trying to decide what a “typical budget” looks like for cybersecurity operations, there are a few studies that have been done that can provide some insight. A recent study by Deloitte and the Financial Services Information Sharing and Analysis Center found that financial services on average spend 10% of their IT budgets on cybersecurity. That’s approximately 0.2% to 0.9% of company revenue or $1,300 to $3,000 spent per full time employee.

Other factors to consider:

  • Size of company: The more employees you have = more opportunities for a cyber attack to occur (more computers, workstations, and devices are vulnerable to attacks).  More employees also result in more possible opportunities for successful phishing attacks and business email compromise. As a result, larger organizations tend to require more in their cyber security spending than smaller businesses. 
  • Type of data: Businesses that collect more sensitive data will need additional security layers to ensure they are compliant with industry-standard legal compliance.  
  • Your data needs to be secured under the Health Insurance Portability and Accountability Act (HIPAA) if you’re a medical provider.
  • Businesses in commerce or professional services that store credit card information need to ensure they are following the Payment Card Industry Data Security Standard (More cybersecurity measures in place for HIPAA compliance, PCI compliant if they’re storing credit cards and complying with Sarbanes-Oxley for financial reporting.)
  • Products & Services: The more protection you have in the form of products and services, the higher the overall cost. Businesses that choose both cybersecurity products and services should expect to pay more than if they just select security products.
  • Self-Install vs. Professional Install: Cyber security companies can sell you security products to set up yourselves, or you can contact a security vendor to help install the product (usually for additional setup fees). 
  • Professional Audits: Organizations can periodically conduct third-party audits to ensure they are updated with the latest security and compliance standards.

Ignoring Security Monitoring

User Activity Monitoring allows you to monitor users to verify that their actions meet good security practices. If a malicious outsider gains access to their log-in information, or if an insider chooses to take advantage of their system access, you will have a record of the suspicious activity.

If your organization is like most others, you don’t have the budget to stand up your own security operations center. But that doesn’t remove the need for around-the-clock monitoring and intelligence that will help you investigate incidents and minimize attacks.

In the spirit of preserving your data, session recording software offers a way to protect your organization. Visit to learn more about how we can help you prevent data insider threats and theft.