A security breach can be expensive. Many studies and statistics put the average of a security breach in the millions of dollars. This figure, however, does not mean much without context. Indeed, it can be complicated to derive an average cost for a security breach. The complications arise from the fact that many factors come into play. Factors include the circumstances of the breach, its extent, and what kind of data the attackers stole.
WordPress administrators and website owners might feel inclined to downplay the risks of a security breach. After all, there is only one website to protect, and that is easy enough with a strong password, right?
In reality, things are slightly more complex. WordPress does not operate in a vacuum and must rely on other systems to function. The number of systems that fall within your purview largely depends on your hosting plan. Either way, it would be wise to recognize different systems are there and carry some risk, however minimal it might be. Even reputable hosting providers suffer breaches, after all.
This article will list the most significant costs associated with a security breach, with a particular focus on WordPress websites and administrators. We will also look at the factors that typically affect costs to help you understand what your risks and exposure levels are should you suffer a security breach.
Note: just in case, read this guide to check if your WordPress website is hacked.
These are some of the major factors to consider when estimating the cost of a security breach. As the below section will show, each factor may also have many variables, which can widely vary the actual costs. Either way, they represent a good starting point.
What kind of data was compromised?
The first factor that we need to consider is the type of data that was compromised. This is especially true if it involves personal data. If personal data was stolen, you would also need to consider whether this belongs to employees, customers, or both since this will impact the costs.
The next thing that you’ll need to look at is what kind of personal data was stolen. For example, if you have an eCommerce store and credit card information or health data were compromised, this would skyrocket costs. This data is very personal and can have negative repercussions on the people affected by the security breach.
How many people were affected?
The number of people affected by the breach will also impact the cost. Certain legal and compliance obligations also kick in once a threshold is surpassed; however, this varies from one jurisdiction to the next.
How did the breach happen?
Understanding how the breach happened is another crucial factor that can contribute to the cost. This will help determine whether the breach was due to negligence or not. If negligence played a part in the breach, costs tend to go up.
Is this the first incident?
Subsequent incidents tend to carry a higher price tag than first-time breaches. The two major cost drivers here are fines and reputational costs.
Will it make the news?
If the security breach is likely to make the news, you can expect costs to go up depending on whether it will hit regional, local, national, or international news.
Where are you based?
Where the company or entity that manages the website is located will also directly impact the costs. This is mainly due to any legal requirements and/or obligations that the law within the jurisdiction imposes in such cases.
Now that we have covered the factors, we can look at the biggest costs typically associated with a data breach.
A lawyer, and in some cases, a breach coach are essential actors that help companies and WordPress administrators navigate the often complex ramifications of a data breach. They are also helpful when it comes to fines, potential legal action, and many of the other costs associated with a data breach.
Forensic teams help determine the paths forward. If you have an eCommerce store such as WooCommerce, you can also expect card carriers to request a specialized forensics team to assess what happened. The costs are often borne by the company that has suffered the breach.
PR and Crisis Management
Depending on the size of the breach, a crisis management team and a public relations person or team may help contain the fallout. The truth is that a breach may lead to reputational damage and loss of revenue well into the future, which is why it’s essential to control.
Breach notification is a law requirement in the US. The rules vary depending on the state and the extent of the breach.
In many cases, companies are required to provide their customers with a free-phone/toll-free number that they can call for more information about the breach. Here you need to think about whether you have an existing capacity for such calls or whether you need to outsource it.
In some jurisdictions, companies are required to provide customers whose data was stolen with credit monitoring services, thus ensuring they do not suffer fraud. Even so, it’s always good practice to offer such a service and can mitigate the reputational damage suffered by the breach.
Fines can come in all shapes and sizes. They mainly depend on the jurisdiction in which you reside, the extent of the breach, the kind of compromised data, and the sector in which you operate. For example, data breaches in the EU may be subject to GDPR fines, which may go as high as 4% of revenue. In the US, HIPAA violations are prosecuted by the State Attorney General and OCR. PCI fines can also be levied in cases where credit card data was stolen.
Around 5% of reported breaches end up in some form of litigation; however, several factors need to be considered here. Of course, lawyers are the best resource to offer direction here; however, it is worth keeping in mind.
Prevention is better than cure
A data breach carries many expensive costs. Some costs are immediate and direct; others are long-term and difficult to assess, such as lost revenue due to reputational damage. In many cases, the costs of a data breach can be high enough to wipe out a business. Fortunately, there is an easier way out.
It is important to recognize that IT infrastructures are often complex, and breaches can be initiated from any point – sometimes even from within. As such, a comprehensive WordPress security policy is of critical importance; one that includes risk assessment and mitigation, as well as a plan on how breaches are handled.
Also, although not quite the silver bullet, two-factor authentication comes very close. Consider this. 81% of breaches are carried out through the use of stolen credentials. MFA stops some 99.9% of such attacks – helping you eliminate a large percentage of risk through one technology.
Major companies including Google and Microsoft are getting behind 2FA, recognizing it’s efficacy in risk-reduction. As a WordPress administrator or website owner, you too can leverage 2FA to improve your security with WP 2FA – an easy-to install and manage 2FA plugin that comes bundled with some of the most advanced and extensive set of features around.