For the 14th consecutive year, IBM Security released its annual Data Breach Report that examines the financial impact of data breaches on organizations.
According to the report, the cost of a data breach has risen 12% over the past 5 years to $3.92 million per incident on average. These rising expenses are representative of the multi-year financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.
The report is based on in-depth interviews with more than 500 companies around the world who experienced a data breach between July 2018 and April 2019. This research takes into account many cost factors, ranging from legal to regulatory to technical activities, not to mention costs that might result from a loss of brand equity, customer turnover and a subsequent drain on employee productivity.
The report shows IT professionals, business leaders, researchers and the broader security community that though the consequences of data breaches are severe, there are concrete ways organizations can mitigate costs and improve overall security posture.
Cost of a Data Breach Highlights
The 2019 Cost of a Data Breach Report findings are consistent with preceding years of the study. The United States has (again) the highest average total cost of a data breach at $8.19 million, more than twice the global average. Healthcare was again the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million.
The financial consequences of a data breach can be particularly acute for small and mid-size businesses. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average, which accounts for approximately $3,533 per employee. Thus, smaller organizations have higher costs relative to their size than larger organizations, which can hamper their ability to recover financially from the incident.
In order to measure a data breach cost, the research looked at four core components associated with business expenditures in case of a breach. These were detection and escalation, notification, post breach response and lost business.
Everyone agrees that the loss of customer trust, the reputational damage, has serious financial consequences. This fact is also visible in the report findings, where lost business is the largest of the four cost categories contributing to the total cost of a data breach. The average cost of lost business for organizations in the 2019 study was $1.42 million, which represented 36 percent of the total average cost of $3.92 million.
For the first time this year, the report also examined the long-term financial impact of a data breach, revealing that the effects of a data breach are felt for years. While an average of 67% of data breach costs came within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach.
The “longtail” costs were higher in the second and third years for organizations in highly-regulated environments such as healthcare, financial services, energy and pharmaceuticals.
“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services in the press release of the report. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”
Data Breach Root Causes and Life Cycle
The study shows how difficult it is for organizations to mitigate breaches. IBM found that the time it took organizations to identify and contain a breach, which it called in its report “data breach life cycle,” was 279 days. This life cycle was 4.9 percent longer than the 266 day average in 2018.
This finding coincided with another important finding: the longer a breach’s life cycle was, the greater the total cost. This was especially true in the case of malicious and criminal attacks, which took an average of 314 days to identify and contain. Indeed, the cost of a breach with a life cycle of more than 200 days was $1.2 million higher than a breach with a life cycle of fewer than 200 days.
In addition, the study found that data breaches that originated from a malicious cyber attack were not only the most common root cause of a breach but also the most expensive. Malicious data breaches cost companies participating in the study $4.45 million on average, which was over $1 million more than those originating from causes such as system glitch and human error. Breaches caused by malicious or criminal attacks are a growing threat, as the report showed a 21% increase over the past six years.
The above finding does not undermine the consequences of breaches caused by system glitches and human error. While much attention in the security world continues to be placed on malicious attacks, it is equally important to highlight the graveness and significance of threats posed by system misconfigurations and human errors. It’s therefore no wonder that one particular area of concern in the report was the fact that the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, represented 43% of all lost records for the year.
Towards that end, inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 and $3.24 million, respectively. These breaches from human and machine error represented an opportunity for improvement, however, as organizations can address these issues through security awareness training for staff, investing in appropriate technology solutions and testing services to identify accidental breaches early on.
Factors Affecting the Total Cost of a Data Breach
Throughout their history, the IBM reports have examined factors that increase or reduce the cost of a breach. As a general statement, it can be said that the efficiency with which a company responds to a breach has a significant impact on the overall cost.
Focusing on incident response can help reduce the time it takes companies to respond, and the study found that these practices also had a direct correlation with overall costs. Having an incident response team and extensive testing of incident response plans in place were two of the top three greatest cost-saving factors examined in the study.
Companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs. $4.74 million). Testing the incident response plan through exercises such as tabletop exercises or simulations in an environment such as a cyber range can help teams respond faster and potentially contain the breach sooner.
The third cost saver was the extensive use of encryption, which was found to reduce the total cost of a data breach by $360,000. Other cost-mitigating factors worth noting were business continuity management, a DevSecOps approach, employee education and the use of automation platforms.
Organizations that have deployed automated security solutions with artificial intelligence and machine learning analytics that reduce the need for direct human intervention also see significantly lower costs after experiencing a data breach. Companies that fully deployed security automation technologies experienced around half the cost of a breach ($2.65 million average) compared to those that did not have these technologies deployed ($5.16 million average).
On the other hand, the research found that the involvement of a third-party partner tends to increase the total cost of a data breach by about $370,000. This finding emphasizes the need for companies to closely vet the security of the companies they do business with, align security standards and actively monitor third-party access. Other factors found to increase the average total cost of a data breach include compliance failures, extensive cloud migration, operational technology (OT) infrastructure and system complexity.
The cost of a data breach research underscores the importance of being prepared for a cyber incident. Below are some recommendations organizations can take to help reduce the damages and financial impact of a data breach:
- Have an incident response team and put incident response plans to the test.
- Have in place programs that preserve customer trust through the exercise of crisis communications. The way you react in such a condition says a lot about your customer-oriented culture.
- Discover, classify and encrypt sensitive data and identify database misconfigurations. These core security controls will allow you to be compliant with government frameworks and privacy regulations, such as GDPR.
- Invest in technologies that help improve the ability to rapidly detect and contain a data breach. Money can buy you time and time, in our case, is money.
- Invest in governance, risk management, compliance and security awareness programs. They will help you develop a robust security posture and culture.
- Beware of IT complexity and disconnected security solutions. Security solutions need to be capable of working seamlessly across multiple clouds and integrating with solutions from multiple vendors.