IBM Study: Hidden Costs of Data Breaches Increase
The number of mega breaches (breaches of more than one million records) have more than doubled in the past five years.
An IBM Security study calculated the effects of mega breaches range from 1 million to 50 million records lost, and projected those breaches cost companies between $40 million and $350 million.
Sponsored by IBM Security and conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study found that the average cost of a data breach globally is $3.86 million, a 6.4% increase from the 2017 report. Based on interviews with nearly 500 companies that experienced a data breach, the study analyzed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.
Overall, the study found that hidden costs in data breaches, such as lost business, negative impact on reputation and employee time spent on recovery, are difficult and expensive to manage. For example, the study found that one-third of the cost of mega breaches (over 1 million lost records) come from lost business.
“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services said. She added, companies must consider many hidden expenses, such as reputational damage, customer turnover, and operational costs.
In the past five years, the amount of mega breaches (breaches of more than 1 million records) increased from just nine mega breaches in 2013, to 16 mega breaches in 2017.
This year’s report used statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records.
Key findings included:
- Average cost of a data breach of 1 million compromised records is nearly $40 million. At 50 million records, estimated total cost of a breach is $350 million
- Most of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error).
- The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).
For mega breaches, the biggest expense category was costs associated with lost business, estimated at nearly $118 million for breaches of 50 million.
For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study. The average cost of a data breach was $3.86 million in the 2018 study, compared to $3.5 million in 2014.
The study also examined factors which increase or decrease the cost of the breach. the amount of time spent containing a data breach, as well as investments in technologies that speed response time, heaving affected costs. According to the study, the average time to identify a data breach: 197 days; and the average time to contain a data breach once identified: 69 days.
Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days.
The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average.
Several factors increased or decreased this cost: Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record. The use of an artificial intelligence platform for cybersecurity reduced the cost by $8 per lost or stolen record. Companies that indicated a “rush to notify” had a higher cost by $5 per lost or stolen record
The analysis found organizations extensively deploying automated security technologies saved over $1.5 million on the total cost of a breach.
The study also found data breaches are the costliest in the U.S. and the Middle East, and least costly in Brazil and India.
One major aspect affecting the cost of a data breach in the U.S. was the reported cost of lost business, which was $4.2 million – more than the total average cost of a breach globally, and more than double the amount of “lost business costs” compared to any other region surveyed.