Many companies, including vendors doing cyber risk analysis, tend to focus only on the cost of fines, breach notification, and credit monitoring efforts when defining the cost of a breach. But, according to research by the Ponemon Institute funded by IBM, this only begins to scratch the surface. The average data breach costs the breached company $148 USD per record when other, secondary factors like lost reputation, lost productivity, brand tarnishment, and lost revenue are accounted for. This means that for the “typical” data breach, a company can expect to lose nearly $4 million USD. The costs can vary significantly depending on industry, with healthcare and financial services organizations seeing costs nearly three times average. Ultimately, a poor cybersecurity culture is a fundamental reason why organizations continue to be breached. The CISO of a major bank was interviewed by Ponemon for NBC News, and said “Even though this was not our first data breach, I was surprised to see just how easy it was for the attackers to seize the identity of privileged users. The theft of valid credentials allowed them to bypass perimeter defenses and hunt for vulnerabilities”.

Effective cybersecurity begins with the Board and C-suite. If the organization’s officers and directors are not creating the right culture, employees will not pay appropriate attention to cybersecurity.