The average cost of a data breach was $3.86m in 2018, compared to $3.5m in 2014- representing nearly a 10% net increase over the past 5 years, according to the latest Cost of a Data Breach Study sponsored by IBM Security and conducted by Ponemon Institute.
The global study, which examines the full financial impact of a data breach on a company's bottom line, also found that hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery are difficult and expensive to manage.
For example, the study found that one-third of the cost of ‘mega breaches’ (defined as those involving 1-50 million lost records) was derived from lost business. For the first time this year, the study looked at the costs of these mega breaches, and projected that they cost companies between $40m and $350m respectively.
"While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," said IBM X-Force Incident Response and Intelligence Services (IRIS) global lead Wendi Whitmore.
"The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake."
In the past five years, the amount of mega breaches has nearly doubled - from just nine mega breaches in 2013, to 16 mega breaches in 2017. Due to the small amount of mega breaches in the past, the study historically analysed data breaches of around 2,500 to 100,000 lost records.
Based on analysis of 11 companies experiencing a mega breach over the past two years, this year's report uses statistical modelling to project the cost of breaches ranging from 1-50 million compromised records. Key findings include:
- Average cost of a data breach of 1 million compromised records is nearly $40m
- At 50 million records, estimated total cost of a breach is $350m
- The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)
- The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)
- For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118m for breaches of 50 million records – almost a third of the total cost of a breach this size.
- IBM analysed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study. This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers.
This year for the first time, the report examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organisations that had extensively deployed automated security technologies saved over $1.5m on the total cost of a breach ($2.88m, compared to $4.43m for those who had not deployed security automation.)
"The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs."
Other findings of the study are as follows:
- For the 8th year in a row, healthcare organisations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average ($148).
- U.S. companies experienced the highest average cost of a breach at $7.91m, followed by the Middle East at $5.31m.
- The lowest total cost of a breach was $1.24m in Brazil, followed by $1.77m in India.
- The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days.
- Companies who contained a breach in less than 30 days saved over $1m compared to those that took more than 30 days ($3.09m vs $4.25m average total)
- The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average. The study examined several factors which increase or decrease this cost: (a) Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record; (b) the use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record; and companies that indicated a "rush to notify" had a higher cost by $5 per lost or stolen record.
More information can be found here.