The Rising Costs of a Data Breach

It’s a familiar story: Threat actors breach a company’s network, steal millions of customer records, and victims pay hundreds of millions of dollars to recover from the attack.

In our report, The True Cost of a Security Breach, ExtraHop examined the costs of six major breaches, ranging from about $160 million to over $1 billion, and including mitigation expenses, legal fees, regulatory fines, and disruptions of business operations. The report provides a high-level explanation of how each breach took place, and explains how network detection and response can help organizations identify and stop similar attacks.

The report also shows that direct expenses don’t tell the whole story. In most cases, the breaches also preceded significant drops in stock prices and huge declines in net income. In the five public companies we examined in our report, net income was down an average of 73 percent in the third quarter following each data breach.

One company reported drops in net income of more than 150 percent in back-to-back quarters shortly after its data breach. A second company reported a drop in net income of more than 700 percent in one quarter following its breach.

In addition, stock prices declined at four of the five public companies in the weeks following the announcements of the breaches. Stock prices were down between 11 percent and 35 percent one month after the breaches.

Since we released our report, dozens of additional breaches have been reported in the media, some likely to cost hundreds of millions of dollars related to incident response and remediation, breach notification, regulatory fines, legal fees, lost revenue, and more.

Time to Take Cybersecurity Seriously

The frequency with which organizations are reporting breaches these days suggests that the risk is a lot more pressing and immediate than many organizations may realize. It also begs the following questions:

1. Do organizations have the visibility they need to detect and stop attacks in their earliest stages, before they lead to material business impact?
2. Given mounting evidence demonstrating that data breaches are bad for business (including data from our True Cost of a Security Breach report), when will more corporate boards and executive leadership teams start taking cybersecurity seriously and investing proportionally?
3. Will the SEC charge more CISOs and publicly traded companies with defrauding investors by failing to disclose known cybersecurity risks and vulnerabilities?

On the question of visibility, we know that threat actors are increasingly employing tactics and techniques like Kerberoasting that are designed to evade EDR, SIEM, and perimeter-based security tools. In fact, the CrowdStrike 2023 Threat Hunting Report exposed a 583% increase in Keberoasting attacks and a 62% increase in abuse of valid accounts. These increasingly common attack scenarios call for the combination of 360-degree network visibility across on-premises, cloud, and hybrid environments; continuous packet capture; machine learning; and decryption capabilities that only the Reveal(x) network detection and response platform can provide. Reveal(x) sees everything, shows everything, and leaves attackers with nowhere to hide.

We hope our report gives you the information you need to advocate for a strong cybersecurity program and investment in technology like Reveal(x).

Check out our report, The True Cost of a Security Breach, and let us know what your executive leadership team and board of directors require in a business case for cybersecurity investment.