2013 was an interesting year in security, with some fairly high-profile data breaches making the news
In December 2013, news broke that U.S. retail giant Target Corp. had suffered a major breach, losing the personal information of 40 million credit and debit card holders. And in October 2013, Adobe Systems Inc. (Nasdaq: ADBE) said hackers had gained access to at least 38 million Adobe IDs and passwords, though the count could be as high as 150 million.
While none of these headlines were mentioned in the Ponemon Institute’s latest study on the cost of data breaches, as researchers weren’t tracking mega breaches, the average total cost of a data breach has definitely gone up. Compared to last year’s study released in June 2013, the average total cost of a data breach has jumped 15 per cent, from $3.1 million to about $3.5 million, with the average cost of a single lost or stolen record totaling $145 – up from $136 last year.
In this year’s study, sponsored by IBM Corp. (Nasdaq: IBM), researchers for the Ponemon Institute surveyed 314 companies in 10 regions, including the U.S. and countries in Europe, Asia, and the Middle East. Researchers tallied up figures for these 314 companies, all of which had a data breach of anywhere from 2,415 to 100,000 lost records, to come up with their final figure for the average cost of a data breach.
To get this number, they added up both the direct and the indirect expenses of a breach. For example, direct expenses would include hiring forensic experts to find out how the breach happened, getting hotline support for customers whose data was lost or stolen, and providing free credit monitoring. Indirect expenses might include doing internal investigations, as well as whatever loss of business there might be from customers who had also lost faith in the company’s ability to keep their data safe.
Researchers found the most expensive data breaches tended to be the result of a malicious attack, with hackers zeroing in on valuable data. They also tended to be more costly in healthcare, education, the pharmaceutical industry, and the financial services industry.
There weren’t any numbers available specifically for Canada, but what the research did find was the numbers for the cost of lost or stolen records differed, depending on the country, its data protection laws, and the kinds of threats coming from hackers. For example, the highest costs for data breaches were in the U.S. and Germany, with a breach setting a company back at about $200 per lost record. The lowest costs for a data breach were in Brazil and India, at just $70 and $51, respectively.
That being said, breaches were most likely to happen in Brazil and India, involving at least 10,000 lost or stolen records. On the other side of that, Germany and Australia were least likely to suffer a breach – and organizations in any country are more likely to lose 10,000 records, compared to the large scale breaches at Target and Adobe that affected millions of people.
For businesses who did fall victim to a breach, what the researchers found was that a strong security posture, a plan for response, and having someone in the role of chief information security officer tended to mitigate the costs of the breach. However, what upped the costs yet again were factors like whether corporate devices had been lost or stolen, resulting in the breach, whether third parties were involved, whether customers whose information had been lost were notified quickly, and whether the company hired consultants in the breach’s aftermath.
To access the Ponemon Institute’s report, head on over here.