Normally, when a data breach makes the news it’s attached to a shocking price tag – numbers that have been trending into the multi-millions. The shock value of a huge loss is sometimes helpful to make a point, but isn’t very helpful when it comes to creating a security plan.

When the only breaches that make the news are outliers, it’s difficult for business owners and IT managers to understand the actual risk to their business and make appropriate investments in security.

So what are more practical numbers that you can plan around?

Depending on your business, you may have several types of critical data or just one or two classifications. If you’re dealing with proprietary, intellectual property, losing that data has a different impact than losing customer credit card info.

If you’re in that boat, your best bet is to hire a professional risk assessment advisor. The complexities of intellectual property and research & development data in how they tie into your business are too complex for a one-size-fits-all approach or even most general guidance.

For businesses storing customer data, like credit card numbers or contact info, the impact is a little more straight-forward to calculate.

The Ponemon Institute issues an annual “Cost of Data Breach Study” that is provides useful information for small and medium businesses trying to get an idea of where they stand.

This year the Institute determined that the average cost per compromised record was around $145. Obviously, this is an average, so depending on your country and business, that value could be higher or lower.

The average data breach cost was about $3.5 million, which may sound low to some when the big news stories cite mega-million-type numbers, but it’s important to remember that the vast majority of data breaches come from small businesses, so the scale is much different.

Making smart security decisions is all about being able to successfully balance risk with budget. Rather than just picking a number at random, using Ponemon’s data should provide a solid baseline for your decision making.

You’ll still have to determine how much money needs to be budgeted to security protection and mitigation versus how much the business relies on liability insurance, but having that baseline is extremely helpful.

As sensational as security news can sometimes be, it’s easy to get distracted by numbers that make it seem like any security investments would be hopelessly insufficient. But when you start looking at the realistic impact and not the outliers you can make smarter budgeting and strategy decisions.