Here are the new statistics released this month from the Ponemon Institute's annual survey of breach costs.
$188 per record lost – Average cost in 2012 for a data breach in the US
28,765 – Average number of records per data breach in the US
$5,403,644 – Average cost of a breach in the US
$565,020 – Average cost to notify clients of a data breach in the US
$3,030,814 – Average cost of lost business from a data breach in the US
The costs figures are plain and simple. They are verified. They speak for themselves. If you are having trouble getting executives to buy into the notion that no security is more expensive than a little security, float these numbers past them. A breach of just 500 records will likely cost you $94,000. Information security is critical to survival. Ironically, the smaller you are, the worse a breach will hurt from a financial perspective.
Ask your executive team if they would consider not having a fire extinguisher or casualty insurance for your office. If they say no, ask why they are willing to take such large risks with information security. You're probably far more likely to suffer a security breach than to have a fire. Put into proper perspective, most executives will follow your logic and begin to appreciate information security activities.