A recent report released by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches.
The study allows an insight into the costs of resolving data breaches and the full financial impact on groups bottom lines. For the worldwide study, 477 groups were recruited and more than 2,200 individuals were interviewed and asked about the data breaches suffered at their organizations and the associated costs. The breach costs were estimated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches reviewed in the study was 24,615 and 31,465 in the United States.
The average cost of a data breach is now $3.86 million – a yearly increase of 6.4%. The per capita cost of a data breach has risen by 4.8%, from $141 per record in 2017 to $148 per record in 2018.
Data breaches are more expensive to resolve in the United States, where the average cost was $7.91 million. The cost of a data breach also varies massively between industry sectors. The highest data breach resolution expenses are for healthcare data breaches, which normally cost an average of $408 per record. This is much higher than financial services data breaches in second place, which cost an average of $206 per record. The lowest expenses incurred were in the public sector, with costs of $75 per record.
The type of breach has an effect on the cost. Cyberattacks by malicious insiders and hackers cost an average of $157 per record, system glitches cost an average of $131 per record to resolve, while breaches caused by human mistake cost an average of $128 to resolve.
The mean time to spot a breach was 197 days and the mean time to contain a breach was 69 days. The time taken to spot and contain breaches both increased in the past year, which has been blamed on an increase in the severity of cyberattacks in this year’s sample.
Experiencing one breach is bad enough, although many firms experience multiple breaches. IBM determined that companies that experience a data breach have a 27.9% chance of suffering a second material breach within two years.
Mega Data Breaches Costs
For the first time, Ponemon/IBM researched the costs of mega data breaches, which are data breaches that have lead to the theft or exposure of more than 1 million records. The number of mega data breaches suffered has nearly doubled in the past five years from 9 in 2013 to 16 in 2017.
The average time to discover and contain these mega data breaches was 365 days – almost 100 days longer than smaller data breaches which took an average of 266 days to discover and contain.
These mega data breaches can prove to be very costly to resolve. The average cost of a mega data breach involving 1 million records is $40 million. That figure increases to an average of $350 million for a breach involving the exposure/theft of 50 million records. The largest cost of these mega data breaches is loss of customers, typically costing $118 million for a 50-million record breach.
Factors that Influence the Cost of a Data Breach
As with earlier studies, Ponemon/IBM identified several factors that can have an affect on the cost of data breaches.
Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS). said: “Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake”.
The time taken to discover and contain a breach has a significant bearing on cost. When firms can contain a breach within 30 days they typically save around $1 million in breach resolution costs. Companies that discovered and addressed a breach within 100 days spent around $1 million less than those that took longer than 100 days.
The most crucial factor affecting the cost of a data breach is having an incident response team in place, which cuts the breach cost by an average of $14 per compromised record. In second place is the use of encryption, which cuts the cost of a data breach by $13 per record.
Business continuity management cut the per capita cost by $9.3 as did staff training. Participation in threat sharing rcutthe per capita cost by $8.7 and use of an artificial intelligence cybersecurity platform cut the cost by $8.2.
One of the largest costs following a data breach is loss of customers. All businesses suffer from churn after a breach, although steps can be taken to reduce churn. Groups that implement programs to preserve trust and loyalty before a breach suffer lower churn rates, as do firms that have a chief Privacy Office (CPO) or Chief Information Security Officer (CISO) to direct initiatives to enhance customer trust in the guardianship of personal data. When businesses offer identity theft protection and credit monitoring services to breach victims, churn rate is cut.
Firms that lost 1% of their customers due to a breach had an average total cost of $2.8 million, whereas a loss of 4% or more customers saw breach costs increase to an average of $6 million – a difference of $3.2 million.
When companies employ security automation the cost of data breaches drops to $2.88 million per breach, although without any security automation the average breach cost is $4.43 million – a difference of $1.55 million per breach.
The main factors that push up the cost of a data breach are third-party involvement, which pushes up the cost by $13.4 per record. If a company is dealing with a major cloud migration at the time of the breach the cost increases by $11.9 per record. Compliance failures also impact the breach cost upwards by $11.9 per record.
Widespread use of mobile platforms increases the breach cost by $10 per record while companies that extensively use IoT devices add $5.4 per record to data breach costs.
While breach victims need to be contacted as soon as possible, rushing to issue breach notifications before all the details have been obtained increases the cost of the data breach by $4.9 per record.
The study can be viewed on this link.