How much may an information security incident cost


To determine their information security budget, companies must consider factors such as the average value of potential losses, preferably by event type, as well as the average security expenditure of other companies. Detailed data on this subject is not published, and this is one of the reasons why we conduct a survey every year involving employees who make business decisions related to IT security for many different companies. 

Financial losses

Compared to the results of last year’s survey, corporate losses have increased. While earlier the incident cost them an average of $ 1.23 million, today the average loss is around $ 1.41 million. Part of this increase is due to the fact that companies now spend more money on external experts, and media communications departments intensively mitigate the damage to their image.

The funding for the PR department has probably increased because there has been a general tightening of regulations obliging companies to publicly report incidents. This is especially important in the event of data leakage. Today, current and potential customers or partners will surely find out about such incidents, and fear that their data will potentially fall into the hands of cybercriminals. The problem is not limited to large companies: 36% of corporations and 31% of small businesses had communication problems during the leak, according to those surveyed.

Interestingly, the small business segment experienced a reverse trend: the average cost of an incident fell from $ 120,000. dol. up to 108 thousand dollars, while outlays for compensation and security tools, both in the form of software and infrastructure, have decreased.

The causes of the incidents

From the point of view of our respondents, regardless of the size of the company, the problem most often stems from the incorrect use of IT resources by employees, as well as the infection of company devices with malware. Of course, these are very broad categories that cover a multitude of different cases, but the most common situations are when an employee clicks a link received in an email and installs a malicious program.

We have described other incident scenarios most often encountered by companies from the SME sector and corporations in the full report. In addition, you can find out, among other things, whether hiring a full-time data protection officer and an internal cyber incident response center has an impact on the amount of losses.