Data loss is one of the most common causes of business disruption today—and one of the most costly. When critical files get wiped out, operations suffer and downtime ensues.
Even the loss of a single critical file can create costly challenges for a business. And in the case of a large-scale data-loss event, like a ransomware attack, the recovery costs can sometimes be insurmountable for smaller companies.
1 in 5 small businesses shut down when attacked by ransomware—some of them permanently.
In this post, we examine the actual costs of data loss (and the downtime that results) to underscore the importance of having a robust business continuity solution in place.
How much does data loss cost?
Data loss can cost anywhere from a few thousand dollars to more than $15 million, depending on the volume of data. On average, small instances of data loss (fewer than 100 files) cost businesses between $18,000 to $35,000, while large-scale incidents can cost up to $15.6 million, according to a study by Verizon.
Calculating the average cost of data loss can be challenging, because it can vary widely depending on the size of the business and how valuable the data is. However, there is no disagreement that a typical data-loss event can be tremendously expensive.
Here are some telling figures:
- A 2022 study by IBM and Ponemon Institute found that the global average cost of a data breach was a staggering $4.35 million, or approximately $164 per data record. However, that research mostly focused on the costs of data breaches, such as theft of personal user data, login information and credit card numbers.
- A leading BC/DR provider estimated that data loss costs U.S. businesses an average of $7,900 per minute during a datacenter outage.
- A recent report by Verizon found that “small” instances of data loss (around 100 lost or compromised records) cost businesses an average of $18,120 to $35,730.
- The same study found that large-scale data loss (100+ million records) costs an average of $5 million to $15.6 million.
What’s the difference between a data breach vs. data loss?
Data breaches refer to incidents in which data has been illicitly accessed, copied or stolen by unauthorized individuals or systems. Data loss refers specifically to data that has been destroyed, deleted or has gone missing.
In a data breach, security safeguards are breached, allowing external parties to gain access to data. Often this data is discreetly copied, but not destroyed, to avoid detection and later sell the data to other cybercriminal groups. In a data-loss event, the data is actually lost.
While the two terms describe different types of events, they sometimes overlap. For example, data breaches will sometimes involve the destruction of data after it has been stolen. Additionally, threats like ransomware, which effectively destroy data with encryption, are sometimes referred to as breaches because of the malware’s ability to break through security measures.
What is the cost of downtime?
Another reason why calculating data loss can be tricky is that the end cost ultimately depends on the consequences of the loss, not necessarily the missing files alone. When data is lost, it can cripple your operations, and that’s where the costs really add up.
For that reason, it’s typically more helpful to think of the cost of data loss in terms of the cost of the downtime that follows. Downtime is defined as the length of time that operations are interrupted (or altogether halted) by data loss.
- On average, downtime from data-loss events like ransomware costs small companies more than $8,500 per hour, according to 2016 figures from Aberdeen Group.
- Depending on the company’s size, Datto estimates that the costs of downtime can vary from $10,000 per hour to more than $5 million per hour.
Downtime caused specifically by ransomware has been surging over the past year. Datto found that the costs of these incidents have nearly tripled in recent years, from $46,800 in 2018 to $274,200 in 2020.
Why the wide ranges?
Every business is unique. A data-loss event for one business can be exorbitantly more expensive than for a similarly sized business located right across the street. It all depends on how that data is used (and how it’s protected).
Factors that can influence the cost of data loss:
- Size of the company
- Amount of data lost
- Value of the lost data and/or its impact on operations
- Recoverability of the data
- Length of outage / speed of recovery
Larger businesses naturally have much larger datasets, which can increase the costs of a disaster. On the other hand, larger companies also tend to have greater financial resources for recovering from such an event, whereas smaller companies face a greater risk of failure.
Examining the costs of data loss
So, why does data loss cost so much?
We’ve established that disasters like ransomware attacks can be extremely expensive for a business, particularly when they lead to downtime. But what, exactly, factors into that downtime to make it so costly?
Without even taking into account the “add-on” expenses of things like emergency IT teams and hardware replacements, there are numerous ways that costs can skyrocket from the moment the disaster occurs.
Idle employees and lost wages
When business stops, employees are idled. This means they’re left with nothing to do, even though they’re still on the payroll.
Consider a ransomware attack that locks up all your computers, servers and email systems. Employees can’t do their jobs (or basically anything productive). And, if they’re salaried workers, they’ll continue to be paid, even if you send them home.
Even if they are hourly workers, and you decide to send everyone home – how much money is lost before that decision is made? Every hour of downtime, multiplied by the number of idled employees, can add up to a significant amount of lost wages.
In an interview with the New York Times, FBI Cybersecurity Chief Herbert Stapleton emphasized the wide-ranging costs of a ransomware attack: “What we find most concerning [about ransomware] is that it causes not just direct costs, but also indirect costs of lost operations. We certainly view it as one of the most serious cybercriminal problems we face right now.”
Another immediate cost of data loss is an interruption to revenue streams.
For example, if the business suddenly cannot take orders or process transactions after a server outage, the loss of revenue is immediate. If an online retailer’s website goes down, orders stop instantly. If ransomware encrypts all product data and customer records, sales teams can’t make their sales.
Revenue is stopped, and yet money is still going out in the form of wages and other expenses. That’s where the situation can become dangerous for smaller companies, which can only sustain such a disruption for so long before running out of funds.
Mechanical breakdowns aren’t the only threat to your production lines. When the applications or IT systems that power those processes go down, the end result is the same: an immediate stoppage. And with each minute that those systems remain offline, the business loses more money.
- In the auto industry, production downtime costs an average of $22,000 per minute, according to a survey of industry executives.
- On average, a manufacturer experiences 800 hours of production downtime a year, due to a wide range of factors, including data loss.
- For large industrial manufacturers, the costs of downtime can range from $10,000 to $250,000 per hour.
In 2017, the NotPetya ransomware attack halted production for pharmaceutical giant Merck. The company revealed in regulatory filings later that year that the attack had caused $870 million in damage. But by December 2019, after several lawsuits against its insurers, Merck ultimately claimed $1.3 billion in losses from the event.
We’ve mentioned how data loss can idle your employees, causing wasted wages. But what about smaller data-loss events, such as a single application going down or a single accidentally deleted spreadsheet?
These events might not cause the same widespread losses as a major downtime event, but they can still be very costly. A single lost file, for example, can lead to an employee wasting hours searching for it and seeking support from IT. That alone is a sizable productivity loss, and it doesn’t even take into account the other processes that are likely being disrupted if the file was critical to operations.
Industries like healthcare and financial services are particularly hard-pressed to protect their data from being compromised. If they’re found to have fallen out of compliance with stringent regulations such as HIPAA, they can be slapped with big fines.
HIPAA sets guidelines for protecting sensitive patient data, including rules for how the data is stored. Penalties for violating those rules can range from $100 to $50,000 per record, depending on the level of negligence.
Data loss resulting from the theft of an unprotected medical device or computer is just one example of a potential HIPAA violation.
Damaged reputation and credibility
Service disruption, no matter what the cause, irritates customers and can damage the business’s reputation for weeks or years.
The cost of “reputational” damage is hard to define, but it affects businesses in every industry. And in the age of social media, a single negative experience can quickly enflame into a crisis.
Customers and clients don’t care if ransomware has eaten your servers or if your hard drive has gone bad. They just want the same dependable service they’re used to. And if the business can’t deliver on that promise, things can go south in a hurry. Additionally, events like ransomware attacks can create the perception that the business is lax about security and customers may begin to feel unsure about providing personal information or payment info.
When a disappointed customer decides to take their money to another business, they may never return.
How often does data loss happen?
A report by IT Policy Compliance Group found that one-fifth of organizations experience 22 or more data-loss events a year in which sensitive data is stolen, lost, leaked or destroyed.
Human error is typically the #1 culprit, as data is often accidentally deleted or compromised by user action. Other common causes of data loss include:
- Hardware failure
- Software errors, bugs or crashes
- Operating system failure
- Ransomware, viruses, other malware or cyberattacks
- Physical damage from on-site events, such as fire or natural disaster
How do we prevent permanent data loss?
Businesses can significantly mitigate the impact and cost of data loss with a data backup solution.
While no business can completely eliminate the risk of data loss, a good backup solution will ensure that lost data can be quickly restored. Today’s business continuity solutions can back up a business’s entire computing infrastructure every few minutes and enable near-instant recovery options, on-site or via cloud backups.
For small businesses especially, a dependable data backup system can prevent a data-loss event from becoming a costly, insurmountable disaster.
Can data loss be prevented in other ways?
While permanent data loss can be prevented with data backups, there are other effective ways to prevent data loss from occurring in the first place.
Recall, for example, that human error is a common cause of data being inadvertently destroyed. Organizations can therefore reduce the risk of data loss by implementing systems that help to lower the risk (and impact) of human error. Cybersecurity training for employees is one example of an effective preventative measure, as we illustrate below.
Strategies for data loss prevention:
- Routine updates to software & operating systems: Outdated software poses a serious security risk. Cybercriminals will exploit known vulnerabilities to gain access to systems and lay the groundwork for ransomware or other cyberattacks. Software and operating systems must therefore be patched as soon as updates become available.
- Employee cybersecurity training: Many cybersecurity incidents occur because of mistakes made by end users. For example, someone might fall victim to a deceptive phishing email or accidentally open a malicious attachment. Businesses can reduce the risk by routinely educating employees on how to spot suspicious messages and how to use Internet/email more safely.
- Access control restrictions: The greater the network restrictions, the less damage can be caused by users or malware. Use the Rule of Least Privilege to restrict users’ access to only files and folders they need for their day-to-day jobs. So if users accidentally delete files or their accounts are hijacked, the damage will be contained to those few directories.
- Hardware replacement: Prevent unexpected hardware failure by replacing aging drives and other hardware before it begins to fail. Use a replacement schedule to track when hardware should be replaced. Plus, monitor performance to identify early signs of drive failure.
Further mitigation of the risks and costs of data loss
Data backups are critical, but they need to be part of a larger business continuity strategy. Businesses that properly plan for data loss can greatly reduce the cost of such incidents when they occur. This involves implementing an array of measures for data-loss prevention and response, guided by careful planning.
Important components of a business continuity strategy:
- Business continuity plan: A comprehensive document that outlines your entire strategy, including the systems and protocols that help ensure the business can continue to operate during a data-loss event or other types of disruptions.
- Risk assessment: A thorough evaluation of the business’s unique risks and their likelihood of occurring. This assessment should identify not only the risk of data loss, but also other disruptions, such as power outages, server failure, natural disasters and so on.
- Business impact analysis: An assessment of the actual costs and operational impact of the disruptions identified in the risk assessment. This analysis should estimate the cost of data loss according to the different types of incidents that cause it, as well as the cost of other operational disruptions.
- Preventative measures: An outline of the implemented systems and procedures that help to prevent data loss and other disasters from occurring.
- Response and recovery protocols: An outline of the steps and systems that should be used following a disruption to restore operations and, if applicable, recover lost data.
- Testing: A timetable for testing various components of the business’s continuity planning, such as recovery procedures, drills and backup recovery tests. Routine testing is needed to confirm that the processes and systems outlined in the continuity planning will be effective in a real-world event.
Smaller businesses cannot afford the astronomical cost of data loss. When critical data is deleted or destroyed by malware, operations are disrupted and a full recovery can take days or weeks. Every minute of downtime can cost the business thousands of dollars. And in a large-scale data-loss event, such as ransomware, some companies may be forced to close their doors permanently.
Still, no business is completely immune to data loss. Companies can mitigate the risks and costs of data loss by implementing sound business continuity systems and protocols. Most importantly, businesses must deploy a dependable data backup system that rapidly restores data after a disaster.
Avoid the costs of data loss with better backup
Get more information on how your business can prevent data loss with a stronger backup and disaster recovery solution. Request a free demo today, or contact us at (646) 395-1170 or success@invenioIT.com.