The cost of a data breach has risen 12 percent over the past 5 years to 3.92 million USD on average and its effects have an impact that is felt for years. These are the main findings by a new study conducted by the Ponemon Institute and sponsored by IBM Security. The rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.
The report examined the longtail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67 percent of data breach costs were realised within the first year after a breach, 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach. The longtail costs were higher in the second and third years for organisations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.
Some of the most significant findings are:
- Malicious breaches – most common, most expensive: over 50 percent of data breaches in the study resulted from malicious cyberattacks and cost companies 1 million USD more on average than those originating from accidental causes.
- “Mega breaches” lead to mega losses: while less common, breaches of more than 1 million records cost companies a projected 42 million USD in losses; and those of 50 million records are projected to cost companies 388 million.
- Practice makes perfect: companies with an incident response team that also extensively tested their incident response plan experienced 1.23 million USD less in data breach costs on average than those that had neither measure in place.
- US breaches cost double: the average cost of a breach in the US is 8.19 million USD, more than double the worldwide average.
- Healthcare breaches cost the most: For the 9th year in a row, healthcare organisations had the highest cost of a breach – nearly 6.5 million USD on average (over 60 percent more than other industries in the study).
The study found that data breaches which originated from a malicious cyberattack were not only the most common root cause of a breach, but also the most expensive. Malicious data breaches cost companies in the study 4.45 million USD on average – over 1 million more than those originating from accidental causes such as system glitch and human error. These breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42 percent to 51 percent over the past six years of the study (a 21 percent increase).
Inadvertent breaches from human error and system glitches however were still the cause for nearly half of the data breaches in the report, costing companies 3.50 and 3.24 million USD respectively. These breaches from human and machine error represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on. One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43 percent of all lost records for the year.
Breach response biggest cost saver
For the past 14 years, the Ponemon Institute has examined factors that increase or reduce the cost of a breach and has found that the speed and efficiency at which a company responds to a breach has a significant impact on the overall cost.
This year’s report found that the average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. However, companies in the study who were able to detect and contain a breach in less than 200 days spent 1.2 million USD less on the total cost of a breach.
A focus on incident response can help reduce the time it takes companies to respond, and the study found that these measures also had a direct correlation with overall costs. Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost saving factors examined in the study. Companies that had both of these measures in place had 1.23 million USD less total costs for a data breach on average than those that had neither measure in place (3.51 million vs. 4.74 million USD).
Additional factors impacting the cost of a breach for companies in the study included:
- Number of compromised records: Data breaches cost companies around $150 per record that was lost or stolen.
- Companies that fully deployed security automation technologies experienced around half the cost of a breach (2.65 million USD average) compared to those that did not have these technologies deployed (5.16 million average).
- Extensive use of encryption was also a top cost saving factor, reducing the total cost of a breach by 360,000 USD.
- Breaches originating from a third party – such as a partner or supplier – cost companies 370,000 USD more than average, emphasizing the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.
Regional and industry trends
The study also examined the cost of data breaches in different industries and regions, finding that data breaches in the US are vastly more expensive – costing 8.19 million USD, or more than double the average for worldwide companies in the study. Costs for data breaches in the US increased by 130 percent over the past 14 years of the study; up from 3.54 million USD in the 2006 study.
Additionally, organisations in the Middle East reported the highest average number of breached records with nearly 40,000 breached records per incident (compared to global average of around 25,500.)
For the 9th year in a row, healthcare organisations in the study had the highest costs associated with data breaches. The average cost of a breach in the healthcare industry was nearly 6.5 million USD – over 60 percent higher than the cross-industry average.
About the research
The research was based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.