Calculating the ROI into External Data Privacy Management Solutions
External data privacy management is a preventative activity focused on preempting data breaches and other damaging consequences of unsecured external data. For preventative solutions – those that don’t yield a revenue result but instead help prevent damaging and costly consequences – it can be difficult to calculate ROI. This is because products designed to avoid certain risks merely ensure that losses are minimized and avoided. If these products work as intended, there is no evidence of savings, only evidence of the capital outlay. It is inherently difficult in the absence of any loss to accurately establish that a preventative product was indeed responsible for protecting the status quo and enabling business continuity. This presents a conundrum for the sponsor of a new product or service designed to protect against likely, but unpredictable risks.
Despite this, there are many preventative products which are well-received and widely accepted as necessary for organizations to purchase. Liability insurance is a product almost every business pays for but that most rarely actually need to use. A company may pay liability insurance premiums for years or even decades without ever having reason to file a claim. On paper, that is all expense with zero return on the investment. However, in the event a liability claim or lawsuit is brought against the company, it becomes evident that paying for insurance coverage is a critical and comparatively small expense. Especially compared to the losses the organization would have absorbed in the absence of coverage.
Most defensive information security systems fit the mold of “preventative” solutions. And just like liability insurance, most organizations are aware of the imperative to invest in infosec to prevent data breaches and other cyber criminal attacks. Aware of the potentially catastrophic financial consequences of data breaches, most organizations invest in infosec solutions despite any clear means to calculate ROI. Most information security spend today is applied to solutions traditionally associated with cyber security. Network encryption, zero-trust protocols, multi-factor authentication, endpoint security, firewalls, cloud security, password management, physical security measures/cameras, IAM, and user training/awareness programs are routinely included in approved IT budgets despite a concrete ROI. Enough examples of the high cost of failure in each of these defensive efforts exist that most leaders keenly accept the need to guard against such failures is a worthy expenditure.
But when new threats emerge it can take organizations some time to grow convinced of the need to allocate additional budget to address novel risks. There is always a reflexive resistance to untested solutions addressing poorly understood risks. Today’s most glaring example of this dynamic is seen in the rapid expansion of the market for privacy risk mitigation. Many currently approach privacy risk by adding more budget to existing infosec programs, unconvinced of the need to invest in emerging solutions for managing the root of the emerging threat – unsecured external data.
Data privacy is at the center of all contemporary information security programs and methodologies. More than any other defense strategy, data privacy management today represents the difference between success and failure for all organizations. All existing defense strategies – network encryption, zero-trust protocols, multi-factor authentication, endpoint security, firewalls, physical security measures/cameras, IAM, user training/awareness, etc. – are rendered impotent in the absence of stringent external data privacy management.
Yet, due to the newness of the threat, many organizations lack a clear strategy or solution for achieving effective external data privacy management (EDPM). Many still labor under the misconception that their existing, traditional information, cyber and physical security practices – and the current, allocated budget levels – are sufficient to maintain security. This is not true.
The clearest and most present threat to information and cyber security comes from unsecured external data. As the Privacy Bee organization has proven in published papers and studies, external data privacy management (EDPM) is the keystone preventing a host of damaging consequences. The most consequential of these potentially catastrophic consequences is the data breach wherein threat actors gain unauthorized access to sensitive information systems and hold organizations ransom, steal priceless intellectual property or simply abscond with volumes of customer data like credit card, bank account and Social Security numbers. While data breaches driven by social engineering schemes powered by unsecured external data are exploding in popularity and frequency, there are other costly consequences associated with poor or non-existent EDPM.
This document will provide methodical, data-driven ROI calculations proving the imperative for deploying a solution like Privacy Bee for Business to address the EDPM deficit within any organization. It will illustrate not only the potential ROI stemming from improved data breach risk mitigation, but also the benefits derived from improved productivity, physical safety, staffing efficiencies and identity theft prevention that flow from applying a comprehensive external data privacy management solution.
At every step of the process, the ensuing ROI calculations are built atop assumptions derived not from the marketing department of Privacy Bee. Rather the numerical values provided for all data points utilized in these calculations come from highly respected industry sources like leading business consultancies Gartner Group and Forrester; US government agencies like the US Department of Justice, the 2020 Census and the US Bureau of Labor Statistics; trusted online security thought leaders like Kaspersky and Ooma; and leading human capital management think tanks like the Society for Human Resource Management (SHRM).
After describing the methodology for calculating ROI in each of the EDPM buckets discussed in the paper, an ROI calculation will be completed based on a hypothetical organization of 1000 employees. There will also be a link to an online calculator where readers can input data about their particular workforce composition and derive an estimated ROI for Privacy Bee for Business for their own organization. Let’s begin.
Data Breach Risk Mitigation ROI Calculation
By far the most potentially costly threat facing organizations lacking strong EPDM is the risk of data breach. Here are the values gathered to help derive an accurate ROI calculation for investing in Privacy Bee for Business to protect against data breaches powered by social engineering attacks relying on unsecured external data.
First, About The Values
The following assumptions, figures and values are all sourced through independent, third-party sources of good repute. The only figure provided by Privacy Bee for Business is the efficacy rate of the Privacy Bee solution which is derived from actual data collected during the management of external data privacy risk mitigation services provided to real customers.
Begin the data breach risk mitigation calculation with the number:
$8.64 million – the average cost of a data breach in 2023 according to Gartner research divided by:
700 – the number of times an average organization is targeted by social engineering attacks in a year according to a report on spear phishing produced by enterprise security solutions company Barracuda which yields:
$12,342 – the estimated risk cost per attack based on the above two values.
Next, multiply the $12,342 figure by:
63% – which is the percentage of companies affected by a data breach every year according to Forrester research. Multiplying the estimated risk cost per attach by this value yields:
$7,776 – dollars of risk per each breach attempt.
Then, multiply $7,776 by:
14 – which is the number of malicious emails an average employee is subjected to each year according to phishing statistics derived by Tessian – a renowned cloud email security company. This equals:
$108,864 – which is the product of dollars of risk per attempt times the average number of emailed attempts.
Since nearly three out of four breaches involves a human element, multiply $108,864 by:
74% – which is the percentage of breaches involving a human element according to Verizon’s 2023 Data Breach Investigations Report (DBIR).
Multiply again by:
85% – the percentage of breaches DBIR finds involve external actors (non-employees)
Then multiply again by:
17% – DBIR reported percentage of breaches involving social engineering, and this yields:
$11,640 – dollars of risk mitigated if an organization is fully covered by the Privacy Bee for Business solution. (Fully covered is defined as ensuring that every employee with any level of information system or physical plant security access is covered with a complete license.)
Here is where the above-mentioned efficacy rate is involved, by multiplying the $11,640 figure by the 70% efficacy rate to arrive at:
$8,149 – the data breach risk mitigation value per fully covered employee. With current license costs approximating $200 per year, it becomes clear that the ROI for investing in breach protection with Privacy Bee for Business provides a compelling argument to do so.
Other Factors to Include in the Complete ROI Calculation
Data breaches enabled by unsecured external data represent the costliest of potential risks associated with external data privacy management or the lack thereof. However, there are a number of other benefits to exerting control over the external data of an organization’s workforce which yield both hard and soft cost savings. These elements of the Privacy Bee for Business external data privacy management solution should also be included in any ROI calculation for purposes of developing a business case for purchasing the product.
Productivity Increase Due to Reduced Spam
Cyber security thought leaders at Kaspersky report each individual employee wastes an average of 18 hours a year reading, assessing and ultimately deleting spam messages sent to their business email address. Adding to this deficit is another 108 hours annually lost to telemarketing and other unsolicited spam calls says a survey produced by telecom company Ooma and financial media outlet Motley Fool.
Using these figures, the average amount of wasted time is 126 hours per employee, annually.
Assuming an annual salary of $85,000 as a benchmark (which boils down to $41.08 per hour) one can calculate that the value of time lost to spam email and phone calls per employee, per year is $5,176.
Once again, multiplying by the Privacy Bee for Business efficacy rate figure of 70%, the total value of increased activity yielded by reducing preventable telemarketing and email spam can be determined.
$3,623 – the total value of increased activity yielded by reducing preventable telemarketing and email spam
Identity Theft Protection
Dealing with the fallout of identity theft is a time-consuming process. InfoSec and cybersecurity training leader, the SANS Institute pegs the number of hours typically required to ameliorate an instance of identity theft at around 150 hours per instance! That’s a lot of time and effort taken away from focus on a businesses’ core activity and a lot of wasted money. Of course, some of that time and effort is bound to occur while a victim of identity theft is at work.
So, assuming the typical worker spends 25% of his waking hours at work, it can be calculated that, on average, 37.5 hours of work time are spent resolving an instance of identity theft.
$1,540.50 – the value lost to a single worker pursuing remedies to an instance of identity theft using the same assumption of an $85,000 average annual salary ($41.08/hr)
10.07% – is the percentage of working adults affected each year by identity theft. This number is derived by dividing the total number of victims of identity theft in the US over a twelve month period (26 million according to data from the US Department of Justice) by the number of working-age adults. The 2020 Census reveals that number to be 258,300,000.
By multiplying the value lost by the percentage of workers affected by identity theft annually, one arrives at $155.06 as the weighted value of preventing each instance of identity theft. And finally, multiplied by the 70% Privacy Bee efficacy rate, it is determined that:
$108.54 – is the value delivered by Privacy Bee in the prevention of identity theft per employee.
Physical Safety
In today’s highly polarized social environment, attacks of all kinds are on the rise. Physical attacks are increasingly directed at executives and employees working in controversial and polarizing industries such as gun manufacturing and pharmaceutical companies or in government/public positions. Whether motivated by geopolitics, religious fanaticism or any other dynamic, the potential for physical harm cannot be understated.
Acts of terror and physical violence are becoming an appallingly regular occurrence. And it is well known that threat actors find their targets – whether they be certain professionals, political, governmental, and religious figures, political or religious advocacy groups, journalists – using unsecured external data.
Organizations that cannot adequately protect their work forces and facilities against violence are likely to experience headcount reductions/employee turnover as talent seeks safer workplaces. The cost of employee turnover (to say nothing of reputational damage) is a primary driver of efforts to harden physical security. Here is how using Privacy Bee for Business to minimize unsecured external data drives savings and ROI.
$18,591 – is, according to Gartner, the average cost of losing an employee for any reason. Multiply this amount by:
14.30% – the percentage of employees who report feeling unsafe in the workplace in research produced by SHRM, the Society for Human Resource Management and multiply again by:
41% – representing those people who the All Voices State of Workplace Safety Report says would leave a workplace that feels unsafe, to arrive at:
$1089.99 – the weighted estimated cost of losing an employee due to perceived threats in the workplace. Multiplying this number by:
98% – the percentage of people actively exposed on Data Broker and People Search Sites according to Privacy Bee research yields:
$1,068.19 – which is the total value per employee provided by eliminating exposures for improved workplace safety.
It should be noted that this calculation does not account for the flight of talent that is likely to occur in the wake of a successful attack on a colleague in the workplace. Neither is there any adequate value that can be placed on the loss of a human life.
Read More Privacy Bee research on Physical Safety, Doxing, Swatting
Poach Defense
Today, widespread, aggressive poaching and elevated levels of HR churn are problems facing nearly every industry in North America. Every organization’s productivity and profitability are being impacted. The conventional wisdom among industry groups and experts completely overlooks the root causes of poaching.
Unsecured external data is the leading means by which aggressive staffing suppliers and corporate HR recruiters gain visibility and access to your precious talent. Yet, none of the experts seem aware of the most promising solutions for preventing HR churn and poaching. Dramatically reducing unsecured external data about your workforce makes it far more difficult for unscrupulous headhunters and competitive HR departments to find and solicit top talent away from your organization. The savings associated with reducing employee “churn” rates can be significant.
$18,591 – is the average cost of losing a employee according to a Gartner document on employee retention strategies. Multiplied by:
28% – which the US Bureau of Labor Statistics says is the average churn rate for US businesses annually. Then multiplied again by:
47% – which SHRM and George Mason University joint research says is the percentage of new hires poached by another organization and the product is:
$2,411.62 – or the weighted cost to a business due to each employee lost to HR Poaching. Multiply this figure again by the 70% Privacy Bee efficacy rate and arrive at:
$1,688.14 – the value of poaching efforts, per employee, prevented by the Privacy Bee Poaching Defense.
Read More Privacy Bee research on Employee Poaching.
Total Value per Employee of the Privacy Bee for Business Solution and ROI
Using the per-employee value figure from each of the individual solution elements/factors calculated above, a complete Return on Investment calculation can be determined. Adding the value sums from:
- $8.148 for Data Breach Risk Mitigation
- $3,623 for Productivity Increase
- $108 for Identity Theft Protection
- $1,069 for Physical Safety and
- $1,688 for Poach Defense
Yields a sum total of $14,636 in total value per employee. Next, using:
$200 – as the approximate cost per year for each employee license of the Privacy Bee for Business solution we arrive at:
7429% – the return on investment for avoiding all the perils above!
Additional ROI Variables to Consider
All the preceding calculations are based on figures as related to the average employee of any given organization. However, many of the values used in the calculations would need to be altered to derive a more accurate ROI when applied to coverage for top executives. An executive’s time, salary, replacement cost, value to the organization is routinely significantly higher than the average rank-and-file worker. So, a different set of parameters must be observed in the ROI calculation to account for the disparity in value between a C-level employee and the rest of the workforce.
To address this disparity and for perspective on the disparity itself, consider that, according to Statista figures, the ratio between compensation for a CEO and the average worker within the top 30 largest public companies in the US is 399:1.
For a far more conservative estimate of the disparity between total value per employee and total value of an executive using the Privacy Bee solution use a ratio of 20:1 and re-perform the ROI calculation above.
$292,734 – or 20X the total value per employee
$200 approximate cost per license per employee
148,596% – ROI on covering executives with the Privacy Bee for Business solution.
Conclusion
As with any calculation, the values may be tweaked to address the specifics of different organizations and the unique composition of every workforce. However, the value proposition of investing in Privacy Bee to address external data privacy management is undeniable. There is no objective scenario wherein the extremely modest investment into this suite of products does not yield outsized return and drive significant long-term value.
For help running a more tailored ROI calculation, and for developing a strong business case to present to those with purchasing authority in your organization, contact your Privacy Bee for Business representative today.
