With data breaches at an all-time high, so are the costs – and not all of them are obvious
Most people believe that Warren Buffet knows a thing or two about business. How to run them, how to grow them, and how to fix them. So, when the Oracle of Omaha drops some wisdom, business leaders pay attention. Like this: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Data Breaches are on the Rise
Let’s bring that closer to home with the impacts, often preventable, of data breaches and cyberattacks. According to the non-profit Identity Theft Resource Center’s 2024 Data Breach Report, there was a near record number of data compromises last year in the U.S.– 3,158, just 44 short of tying the all-time high set in 2023. In the European Union, there were more than 350,000 compromises reported to the data protection authorities around the EU.
Most of the events that resulted in a legally required U.S. data breach notice were some form of cyberattack: 2,525 out of the 3,158 compromises reported, resulting in more than 1.2B notices to individuals whose data was exposed in the breaches. No matter the size of your company, that’s a significant dent in your reputation and budget.
The Financial Impact of Data Breaches
According to IBM’s 2024 Cost of a Data Breach Report, the average U.S. data breach cost $9.36M in direct & indirect costs last year – the highest in the world based on breaches between 2,100 and 133,000 records. The global average cost was $4.88M. The cost of breaches of 1M or more records increase the costs by 100x or more.
The single largest component of breach remediation costs in 2024 directly related to the issue highlighted by Warren Buffet: reputation. In 2024, nearly 60 percent ($2.8M) of the global average breach cost was directly related to operational downtime and lost customers, the cost of post-breach responses, such as staffing customer service help desks and paying higher regulatory fines – all items directly related to mitigating the market damage of a breach.
Regulatory Challenges and Reputation Management
Avoiding regulatory entanglements has also been a prime motivation for organizations of all sizes, especially publicly traded companies subject to the jurisdiction of the U.S. Securities and Exchange Commission (SEC). The Commission saw a 60% percent increase in notices from public companies that suffered a cybersecurity or data breach in 2024 after new notice rules went into effect in late 2023. So many companies were filing notices of an attack when they didn’t have to in an effort to avoid damage to their reputation, the SEC issued guidance suggesting publicly traded businesses not issue so many alerts.
Key Takeaways
What lessons should we learn from the mountain of data emerging about the root causes and impacts of cyberattacks and data breaches?
Data breaches are a major drain on resources. A 2024 study by Comparitech concluded that the share price of businesses dropped between three to five percent (3% – 5%) in the short term after reporting a breach. Financial services companies saw their share prices drop 7.5% on average after a breach according to the Harvard Business Review. For context, United Healthcare reported spending more than $1.5B in direct costs and ~$2.5B in total costs in the first nine months following a data breach in early 2024. Executives claimed the event had shaved $.70 per share from the company’s price.
Customer churn skyrockets for most businesses. A 2025 research report found that 58% of consumers believe brands that suffer a data breach are not trustworthy; 70% consumers say they would change brands after a security incident. For banks, 38% of customers threatened to take their business elsewhere after a breach.
Recovery touches every part of a compromised business. Brand/Reputation makes up nearly 40% of a company’s value. Any event that damages a business’ reputation has a disproportionate impact, meaning sales teams have to work harder to sell; company executives have to spend more time and resources on employee recruiting and retention as well as investor and community relations. Ops teams have to focus on implementing mandated changes instead of the projects planned for the year.
Defenders Need More Juice
Many (if not most) cyberattacks and data breaches are preventable. More than 200 of the U.S. data breaches linked to ~1B breach notices in 2024 were preventable based on information available in the legally required alerts. In Australia, the Securities & Investments Commission says 58% of companies regulated by the ASIC have limited or no capability to adequately protect confidential information from data breaches or cyberattacks. Improved cyber processes like better vulnerability identification, faster patching, and automated rule deployment allow dev and security teams to focus on higher value activities instead of manual, labor intensive activities that take months to find and fix a problem.
As Defenders we are not just keepers of the systems and data in our charge, we are also protectors of our company’s reputation. Mr. Buffet had something to say about that, too. “Lose money for the firm, and I will be understanding. Lose a shred of reputation for the firm, and I will be ruthless.”
To learn how Waratek can help protect their reputations by preventing data breaches in Java Systems with active runtime security, click here.
