Average cost of U.S. data breach climbs to US$12.7 million: Report

The cost of a data breach in terms of public confidence and trust in an organization is hard to measure. But if you want to put a figure on the economic cost to an organization for detecting, recovering, investigating and managing the incident response it’s not that difficult.

The average cost of attacks at 257 companies in seven countries in fiscal 2014 (April 2013 to May 2014) was $7.6 million (all figures U.S.) according to a study done for Hewlett-Packard by the Ponemon Institute.

If that’s seems small, it’s because the countries studied ranged from the U.S., Britain, France, Germany, Russia, Australia and Japan. The costs ranged from $500,000 to $61 million.

For the U.S. alone, the average cost was $12.7 million, up from $11.56 million in the same period the year before.

During the 12 month period those 257 organizations experienced 429 cyber attacks, or 1.6 a week, most commonly viruses, worms, Trojans and malware.

The most expensive damage was done by malicious insiders (including partners) — on average $213,500 — followed by denial of service and Web-based attacks.

Common sense says the bigger the company the higher the cost, and the study bore that out. However, looked at from the number of seats in the enterprise, small organizations suffered a higher per employee cost than larger organizations.

The report also notes that organizations that used security intelligent systems were more efficient in detecting and containing cyber attacks, but not eliminating breaches entirely. “Companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cyber crime costs that are lower than companies that have not implemented these practices,” says the report.

The report makes two vital points:

–Cyber attacks can get costly if not resolved quickly. There’s a positive relationship between the time to contain an attack and organizational cost. Resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected.
The average time to contain a cyber attack was 31 days, with an average cost to participating organizations of $639,462 during this 31-day period — That’s up  23 per cent increase from last year’s estimated average cost of $509,665, which was based upon a 27-day remediation
period. Malicious insider attackers can take more than 58 days on average to contain.

–Business disruption represent the highest external cost, followed by the costs associated with information loss. On an annualized basis, business disruption accounts for 38 per cent of total external costs, which include costs associated with business process failures and lost employee productivity.

“The most costly cyber crimes are those caused by malicious insiders, denial of services and web-based attacks,” said the report. These account for more than 55 percent of all cyber crime costs per organization on an annual basis. Mitigation of such attacks requires technologies such as SIE (security information and event management) suites, intrusion prevention systems, applications security testing solutions and enterprise GRC (governance, risk management and compliance) solutions, said the report.

It also found that smaller organizations studied suffered a higher proportion of cyber crime costs relating to Web-based attacks, viruses, works, Trojans and other malware. Larger organizations experienced a higher proportion of costs from denial of service attacks, malicious code and malicious insiders.

Of the incidents studied, energy, utilities and financial services sectors had the highest annualized cost.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now