back to article Businesses confess: We pass cyberattack costs onto customers

The costs incurred by organizations suffering data losses continue to go up, and 60 percent of companies surveyed by IBM said they were passing them onto customers. According to Big Blue, the average cost of a data breach worldwide rose almost 13 percent over the past two years, hitting an all-time high of $4.35 million. In …

  1. Paul Crawford Silver badge

    those organizations that pay the ransom are often targeted again within months, increasing the financial losses even more

    Gee, who could have guessed?

    1. ThatOne Silver badge

      Yeah but if they pass the cost to their customers, who cares?

  2. Pascal Monett Silver badge

    A report full of obvious points

    Nonetheless, it is a good thing to point them out.

    However, the clincher is in the last paragraph :

    "organizations using security AI and automation technologies had average data breach costs that were $3.05 million less than those that weren't"

    No points for guessing who sells "security AI".

    This whole report is just a sales pitch for IBM who is trying to scare customers into signing up for its products.

    Zero trust only saves you a million. We can save you 3 million.

    Sign here.

    1. Howard Sway Silver badge

      Re: A report full of obvious points

      Sure, they're selling something. But they're not wrong in pointing out that the costs of decent prevention are much lower than the costs of a catastrophic breach. Burglar alarm manufacturers did the same thing.

      Passing the costs of attacks onto customers does of course also make you uncompetitive on price compared with a better secured competitor.

      1. veti Silver badge

        Re: A report full of obvious points

        The trouble is, that assumes there *is* a better secured competitor.

        My experience is that there are lots of small companies all taking a fairly relaxed attitude to security, whose market niches are sufficiently narrow that they only have a handful of competitors - who are similarly relaxed.

        And the cost to the customer of switching providers is often quite significant, too. Think data migration. It's not the sort of thing you want to do every year.

        So yeah, in theory the company that invested in more security up front has a potential advantage - but then, so does the company that doesn't (because it saves the cost of that investment). And advantage against whom, anyway?

  3. SsiethAnabuki

    Where else would the money come from?

    Not sure what anyone was expecting regarding who footed the bill for this. Was there a notion that someone would pass a bucket round at the shareholder meetings?

    1. Disgusted Of Tunbridge Wells Silver badge

      Re: Where else would the money come from?

      If a company has flexibility in its pricing that it can charge customers more, it isn't charging enough.

      An ideally ran company should already be charging the maximum it can extract from customers to the point where if they increase prices they will lose business and make less money in the long run.

    2. katrinab Silver badge

      Re: Where else would the money come from?

      Yes, because I expect them to be charging the market clearing price for their product and therefore unable to charge any more, otherwise why aren’t they doing it anyway, and making more profit for their shareholders.

      1. veti Silver badge

        Re: Where else would the money come from?

        Because every company operates in a perfectly competitive market with identical products, perfect information for all participants, and zero costs of switching suppliers?

        Look, Econ 101 is a decent start, but it's only a start. There's a lot more to be learned after that.

  4. OhForF' Bronze badge

    Passing the cost to customers

    Of course companies pass on costs to customers, they always do.

    It is even a good thing if they do it for costs of cyber attacks. In the end those that manage to prevent those cyber attacks from happening (frequently) will have lower prices and that will create pressure on those that only give lip service "your data's security is of utmost importance to us".

    As other commentards have already pointed out the article is more of a sales pitch.

    >Ninety-four percent of today's enterprises find at least 20 percent of their endpoints are unprotected<

    What does "unprotected" mean here - i assume not covered by a cybersecurity suite?

    Doesn't have to be a problem, a hardened server in a DMZ isn't really a problem.

    I have a hard time believing that bigger enterprises will have 20% of their computers connected to the internet without even a firewall in between.

    1. Security nerd #21

      Re: Passing the cost to customers

      "I have a hard time believing that bigger enterprises will have 20% of their computers connected to the internet without even a firewall in between."

      You'd be surprised unfortunately. Many companies don't even know what kit they are running - let alone the challenges with misconfigured cloud services, and shadow IT introduced by the business teams.

  5. stiine Silver badge

    60% report passing the costs on

    And the other 40% are lying through their teeth.

  6. JacobZ


    I hate to break this to you, but eventually companies pass _all_ costs onto customers.

    That's how business works.

    1. Disgusted Of Tunbridge Wells Silver badge

      Re: Newsflash

      It isn't. Businesses charge the amount that makes them the most profit.

      In effect that means charging as much as they can without pricing themselves out of too many sales.

      There should be no room for upward movement of the price because they are meant to be gouging you already.

      1. ChoHag Silver badge

        Re: Newsflash

        The maximum amount that a company can gouge out of its customers takes into account the amount by which it may need to increase it should the company's costs suddenly increase, such as by being asked to pay a large ransom. Without room to manouevure a maximally-gouging company would fail as soon as it had a moment's trouble in its supply or manufacture pipelines because it would be unable to increase prices to cover higher costs.

        1. Disgusted Of Tunbridge Wells Silver badge

          Re: Newsflash

          That assumes that businesses voluntarily turn down money they could make by charging slightly more.

          They don't. Prices get driven down by competition only.

  7. Mike 137 Silver badge

    Shout this out loud!

    "Organizations would be better served by investing in cyber-hygiene tools and threat hunting skills than to keep throwing money at point solutions that continue to fail them"

    This has always been the case. Business infosec is almost entirely reactive. This is the equivalent of skirmishing in bandit territory against locals who know the geography while you don't. The outcome is continuous attrition of your forces with nothing much to show for it.

    The preferable solution is pre-emptive resilience, making you a harder target. This causes the majority - trivial attacks that would otherwise succeed - to just bounce off harmlessly, leaving plenty of resources to deal with the more dangerous minority. But to succeed it does need changes to corporate culture. The triumph of 'convenience' over common sense needs to be reversed and the susceptibility of the executive and their technophiles to marketing hype must be significantly reduced. Both will be hard to achieve

  8. Pete B Silver badge

    "it's the coup de grâce to then pass the cost of breaches to the same customers who are now the victims of a data breach."

    I'd be an ex-customer, not a current one, so they can put prices up as much as they like.

    1. Missing Semicolon Silver badge

      The cost of breaches is too low.

      You may not be a customer any more, but there are loads who are. Or join afterwards.

      Since the fines are generally as near zero as makes no difference, the small cost of cleaning up is usually cheaper than paying for security.

      This only works because companies are not reduced to smoking holes in the ground by the fines for losing customer data. A couple of those, and the problems will go away.

  9. AndrueC Silver badge

    Well..duh. Companies are not 'people' everything is just income or expenditure to them. They can offset any expense by increasing prices, reducing staff renumeration or (in extreme cases) cutting shareholder dividends. If a cost is experienced equally by their competitors they have no reason to do otherwise. Like corporation tax..

  10. Throatwarbler Mangrove Silver badge
    Paris Hilton


    At what point do companies or countries band together to deploy counter-hackers to deal with the ransomware scum? It seems like the time is upon us for "the best defense."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like