IBM Security

IBM Study: Hidden Costs of Data Breaches Increase Expenses for Businesses

July 11, 2018
By Larry Ponemon
 
Businesses run on risk: They take a chance, place their bets in the marketplace and often reap great rewards. But when thinking about the cost of a data breach, you may wonder about the price for your company and what, exactly, is at stake.
 
Here’s one way to think about it: You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD). And as in the case of the flu, it’s crucial to act quickly and seek a cure for a speedy recovery. Since data breaches cost money, it’s best to take a cost-based approach to gain an accurate perspective of the problem at hand.
 
Sponsored by IBM Security and independently conducted by my team at the Ponemon Institute, the 13th-annual Cost of Data Breach Study includes two new factors in its analysis that influence data-breach costs: deployment of artificial intelligence (AI) and the extensive use of Internet of Things (IoT) devices.

The analysis also includes the cost of a so-called mega breach — an incident resulting in the loss of 1 million records or more — and the financial consequences of customers losing trust in your organization.

The Global Cost of a Data Breach Is Up in 2018

In this year’s study, the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach. Overall, we found that the total cost, per-capita cost and average size of a data breach (by number of records lost or stolen) have all increased year over year.

The average cost of a data breach increased from 2017 to 2018

Locations that experienced the most expensive data breaches include the U.S., where notification costs are nearly five times the global average, and the Middle East, which suffered the highest proportion of malicious or criminal attacks — the most expensive type of breach to identify and address. Data breaches are less expensive in Brazil and India, where detection, escalation and notification costs rank the lowest.

While the cost of a breach increased for organizations in 13 countries compared to the five-year average, it decreased in Brazil and Japan, according to this year’s report.

Based on industry and location, our data breach calculator can determine how much a security incident might cost an organization.

The Bigger the Breach, the Higher the Cost

This year’s report found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

This graph shows the average total cost by size of the data breach for the past 3 years

But what about those massive breaches that grab national headlines? The study revealed that a mega breach (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grows. A breach involving 50 million records, for example, would result in a total cost of $350.44 million.

How Can Companies Reduce Data Breach Costs?

Among the 477 companies examined for the study, the mean time to identify a breach is still substantial (197 days), while the mean time to contain a breach is 69 days.

The good news: There are strategies to help businesses lower the potential cost of a data breach. For the fourth year running, the study found a correlation between how quickly an organization identifies and contains a breach and the total cost.

Preparation and vigilance pays: The study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148. Similarly, extensive use of encryption can cut the cost by $13 per capita.

Customer Trust Impacts the Total Cost of a Breach

Organizations around the world lost customers due to data breaches in the past year. However, businesses that worked to improve customer trust reduced the number of lost customers — thereby reducing the cost of a breach. When they deployed a senior-level leader, such as a chief privacy officer (CPO) or chief information security officer (CISO), to direct customer trust initiatives, businesses lost fewer customers and, again, minimized the financial consequences of a breach.

Additionally, organizations that offered data-breach victims identity protection kept more customers than those that did not. Companies that lost less than 1 percent of existing customers incurred an average total cost of $2.8 million — while companies that experienced a churn rate of greater than 4 percent lost $6 million on average.

Examining the Effects of AI and IoT Adoption

For the first time, this year’s study examined the effects of organizations adopting AI as part of their security automation strategy and the extensive use of IoT devices. AI security platforms save companies money — an average of $8 per compromised record — and use machine learning, analytics and orchestration to help human responders identify and contain breaches. However, only 15 percent of companies surveyed said they had fully deployed AI. Meanwhile, businesses that use IoT devices extensively pay $5 more per compromised record on average.

To get the full rundown of the potential costs associated with a data breach — and learn what you can do to help protect your business — download the 2018 Cost of Data Breach Study: Global Overview, and take a look at our accompanying infographic.

You can also use our data breach calculator to explore the industry, location and cost factors if you experience a security incident.

Examine the cost of a data breach in 2018 with this data breach calculator

This story first appeared on the IBM Security Intelligence Blog.

You can learn more here.