The cost of a data breach has risen 12 per cent over the past five years and could cost an average of $3.92 million if a new study of victimized firms is representative of the true costs.
The numbers are in the latest annual Cost of a Data Breach report by the Ponemon Institute and funded by IBM Corp. All figures are in U.S.
After a plunge in 2017, the average cost of a breach among studied organizations has been rising.
The most recent data was pulled from interviewing officials at 507 organizations in 16 countries and regions and across 17 industry sectors that suffered breaches between July 2018 and April 2019.
For the first time this year, the report also examined the longtail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67 per cent of data breach costs were seen in the first year after a breach, 22 per cent accrued in the second year, and another 11 per cent accumulated more than two years after a breach.
The analysis takes into account hundreds of cost factors including legal, regulatory, and technical activities to loss of brand equity, customers, and employee productivity.
Among other highlights:
- Over 50 per cent of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.
- While less common, breaches of more than 1 million records cost companies a projected $42 million in losses and those of 50 million records are projected to cost companies $388 million.
- Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
- The average time it took organizations to detect and identify a breach was 279 days. That’s 4.9 per cent longer than the average of 266 days in 2018. In addition, it was found that the longer a breach’s life cycle is, the greater the total cost. This is especially true in the case of malicious and criminal attacks, which take an average of 314 days to identify and contain.
While among the organizations studied, malicious data breaches are growing (up from 42 per cent to 51 per cent over the past six years –a 21 per cent increase), the combined number of inadvertent breaches from human error and from system glitches were still the cause for nearly half (49 per cent) of the data breaches in the report.
“These breaches from human and machine error represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on,” says IBM in a news release accompanying the report. “One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43 per cent of all lost records for the year, according to the IBM X-Force Threat Intelligence Index.”
Additional factors impacting the cost of a breach for companies in the study included:
- Number of compromised records. Data breaches cost companies around $150 per record that was lost or stolen.
- Companies that fully deployed security automation technologies experienced around half the cost of a breach ($2.65 million average) compared to those that did not have these technologies deployed ($5.16 million average).
- Extensive use of encryption was also a top cost saving factor, reducing the total cost of a breach by $360,000.
- Breaches originating from a third party – such as a partner or supplier – cost companies $370,000 more than average, emphasizing the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.
In a blog for IBM, report author Larry Ponemon also noted that this year’s edition examined the value to organizations of testing an incident response plan. It estimates this reduced the average total cost of a breach by $320,000 compared to the mean total cost of a data breach ($3.92 million).
The top cost-mitigating factor out of the 26 cost factors looked at is the formation of an incident response team, which reduced the average total cost of a data breach by $360,000.
Several other cost-mitigating factors are business continuity management, a DevSecOps approach, artificial intelligence (AI) platforms “and good, old-fashioned employee education.”
