The cost of a data breach has risen by 12% over the past five years and now costs $3.92 million on average, according to the latest report from IBM. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.
Even the untrained eye can see this rise in the cost of data breaches: Facebook’s $5 billion fine, the ICO going after 1.5% of British Airway’s annual turnover and
Equifax’s $700 million comeuppance over the 2017 data breach have all be reported over the last two weeks.
Who’s really at risk?
The big companies will bounce back from the rising cost of data breaches. Even Facebook’s record $5 billion fine was shrugged off by investors and the company’s stock actually rose following the news — the social media giant had put aside the amount in expectation of the amount it would have to pay.
However, the financial consequences of a data breach can be particularly acute for small and midsize businesses. In IBM’s study, companies with less than 500 employees suffered losses of more than $2.5 million on average — a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.
Data breaches reported to FCA have risen 480% from financial services firms
The financial impact will be felt for years
Those organisations that experience data breaches, whether large or small, and aside from the reputational damage will experience the financial impact of a data breach for years. The report found that while an average of 67% of data breach costs were realised within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The ‘longtail’ costs were higher in the second and third years for organisations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.
“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organisations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line and focus on how they can reduce these costs.”
The cost of data breaches
• Malicious breaches — the most Common and most expensive: Over 50% of data breaches in the study resulted from malicious cyber attacks — and cost companies $1 million more on average than those originating from accidental causes.
• “Mega breaches” lead to mega-losses: While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million.
• Practice makes perfect: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
• US breaches cost double: The average cost of a breach in the US is $8.19 million, more than double the worldwide average.
• Healthcare breaches cost the most: For the 9th year in a row, healthcare organisations had the highest cost of a breach — nearly $6.5 million on average (over 60% more than other industries in the study).
Data breaches — It’s not just digital, physical data breaches matter too
Malicious breaches on the rise but accidental breaches still common
IBM’s study found that data breaches that originated from a malicious cyber attack were not only the most common root cause of a breach, but also the most expensive.
Malicious data breaches cost companies in the study $4.45 million on average, over $1 million more than those originating from accidental causes such as a system glitch or human error. These breaches are a growing threat, as the percentage of malicious or criminal attacks rose from 42% to 51% over the past six years (a 21% increase).
That said, inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively. These breaches from human and machine error represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on.
One particular area of concern highlighted is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year — according to the IBM X-Force Threat Intelligence Index.
Human error in IT: a growing but preventable issue
Incident response — the biggest data breach cost saver
The speed and efficiency at which a company responds to a breach has a significant impact on the overall cost, according to 14 years of research from the Ponemon Institute.
This year’s report found that the average lifecycle of a breach was 279 days — with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach — take note.
A focus on incident response can help reduce the time it takes companies to respond and improving these measures has a direct correlation with overall costs. Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost saving factors examined in the study. And, companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs $4.74 million).
Incident response: Crucial for cyber security preparedness
What else impacts the cost of a data breach?
• Number of compromised records: Data breaches cost companies around $150 per record that was lost or stolen.
• Companies who had fully deployed security automation technologies experienced around half the cost of a breach ($2.65 million average) compared to those did not have these technologies deployed ($5.16 million average).
• Extensive use of encryption was also a top cost saving factor, reducing the total cost of a breach by $360,000.
• Breaches originating from a third party — such as a partner or supplier — cost companies $370,000 more than average, emphasising the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.
Regional and industry data breach trends
IBM’s study also examined the cost of data breaches in different industries and regions. It found that data breaches in the US are vastly more expensive — costing $8.19 million, or more than double the average for worldwide companies in the study. The costs for data breaches in the US increased by 130% over the past 14 years of the study; up from $3.54 million in 2006.
Organisations in the Middle East reported the highest average number of breached records, with nearly 40,000 breached records per incident (compared to global average of around 25,500.)
For the 9th year in a row, healthcare organisations had the highest costs associated with data breaches. The average cost of a breach in the healthcare industry was nearly $6.5 million — over 60% higher than the cross-industry average.