IBM Security and Ponemon Institute recently conducted a study called 2018 Cost of a Data Breach Study: Global Overview to understand trends in the cost of data breaches. The study gathered information from 477 organizations across 15 countries that experienced a breach within the last year. Researchers began by determining the number of lost or stolen records and quantifying the loss of customer goodwill for each company. They also learned how much each company spent upon discovery of a breach, on response protocols – like hiring a forensic team and investigators – and on the outcome, which includes alerting victims and paying legal fees.
The research revealed several factors can influence the cost of a data breach, such as the size of the breach or the amount of compromised records. More sensitive information on file means there’s more to lose in the event of a breach. A second factor is how long it takes to recognize and contain a breach. The study indicates the faster a breach was identified and contained, the lower the costs were. The time it took to both find and respond to a breach increased, which researchers attribute to “the increasing severity of criminal and malicious attacks…” Losing customers after a breach proved to be another substantial factor that impacted cost. Companies that had an executive manage outreach post-breach and provided victims with identity protection had a better chance of retaining customers.
Let’s dive into the findings. The study found the average cost of a data breach to be $3.86 million, which equates to $148 for the average cost per lost or stolen record and to a 6.4% one-year cost increase worldwide. The costs associated with building contact databases, determining regulatory stipulations, and hiring outside help were the highest in the United States (at $740,000) and the lowest in India (at $20,000). Canada incurred the most cost (at $81 per lost or missing record) to bring in forensic specialists, engage law firms, and offer victims identity protection. The U.S. spent the most per capita ($152) on victim notification, investigations, and employees’ time and effort.
The study presented valuable insights companies can use to create sound data security practices. For example, the time to both identify and contain a breach were higher for nefarious attacks and significantly lower for incidents caused by human error. According to the results, program malfunctions and human error or negligence cost $131 and $128, respectively. (By contrast, 48% of the breaches were rooted in malicious attacks, with an average cost of $157 per record.) In addition, companies with an incident response (IR) team saved as much as $14 per lost or missing record, averaging a cost of $134 per record. What’s more, organizations that had been using encryption saved about $13 per capita, yielding an adjusted cost of $135 per record. The study explains these numbers in more detail, drawing conclusions that are as fascinating as they are staggering.
This study shed light on the critical topic of data breaches and exposed the crippling toll a breach can take on a company’s finances. If we read between the lines, we see why data security is of paramount importance to running an organization in the modern landscape. The wisdom you can glean from this research is yours for the taking.