We have heard many accounts of data breaches in the news over the last few years. It’s safe to say that not even the tech giants are safe from cyberattacks that can cost millions. We are going to take an in-depth look at the study on the cost of data breach carried out by the Ponemon Institute and IBM in 2019.
Significant Findings from the Report
The data was taken from 507 companies who had had some form of a data breach and the cost factors included things like legal expenses, technical activities, customer turnover, and productivity. The following statistics do not include what is considered ‘mega breach’ such as Equifax and Facebook.
- The cost of data breaches has grown by 12% across the globe over the last 5 years at an average cost of $3.92 million.
- The United States had the highest cost at $8.19 million
- The healthcare industry had the highest cost at $6.45 million (possibly due to a large amount of personal data)
Let’s focus more on the different aspects found in the report.
The Largest Contributor to Data Breach Costs
The largest contributor was lost business caused by a massive reduction in customer trust. This led to an average cost of $142 million. In the worst cases of data breaches, it cost companies more than 4% customer turnover, leading to an average cost of $5.7 million.
The Lasting Effects of a Data Breach
Approximately 33% of the costs incurred were experienced at least a year after the data breach. More specifically, 67% in the first year, 22% in the second year, and 11% in the third year. The healthcare and financial industries suffered for longer while 53% of high data protection regulatory environments experience the costs in the first year. The impact of new laws such as GDPR may have driven this.
The Average Lifecycle of a Data Breach
The lifecycle is defined as the period of time from the actual data breach and the time that it is contained. The report showed that it took an average of 206 days to discover the breach and a further 73 days to contain it, so the lifecycle was 279 days in 2019, up from 266 in 2018. Generally speaking, a data breach will cost less when the lifecycle is less than 200 days.
The Most Common and Most Expensive Causes of a Data Breach
51% of the data breaches in 2019 were caused by cyberattacks, a 21% increase from 2014. The lifecycle for cyberattacks is also much longer at 314 days. The costs can be separated into malicious attacks ($4.45 million), human error ($3.5 million), and system glitches ($4.45 million).
The Financial Impact of Human Error and System Glitches
Human error can include things like phishing attacks, infected devices, and stolen equipment. The average costs caused by human error were $3.5 million and accounted for around 25% of data breaches. Another 25% of data breaches were caused by system glitches, costing an average of $3.24 million.
Small Businesses Are More Affected
The cost of a data breach for a small business could be enough to impact its bottom line beyond recovery. Small businesses were considered to be those with 500-1000 employees and had an average cost of $2.65 million. This works out to be $3,533 per employee, compared to $204 per employee for large businesses.
The Largest Cost Amplifiers of a Data Breach
The top five amplifiers were:
- Third-party involvement
- Compliance failures
- Extensive cloud migration
- System complexity
- Operational technology
Third-party data breaches amplified a data breach cost by over $370,000. Cloud migration caused an increase of approximately $300,000, and system complexity made the average cost $290,000 higher.
How Can You Reduce the Cost of a Data Breach?
When businesses employed extensive encryption to their data, they noticed the largest reduction in average costs, $360,000 less. Business continuity management reduced the average cost of a data breach by $280,000. Other methods included threat intelligence sharing and DevSecOps.
What Can an Incident Response Plan Do?
Businesses were able to lower the average cost of a data breach by $1.23 million by responding effectively and strictly complying with an incident response plan.
Can Automated Security Reduce Costs?
Absolutely! Those businesses that used security automation technology meant there was less human involvement. Average costs for businesses not using automated security saw an increase in costs from $4.43 million to $5.16 million. However, businesses with automated security saw costs fall from $2.88 million to $2.65 million.
The Impact of Location and Industry
As mentioned, the US had the highest costs, more than twice the worldwide average. The Middle East had the highest number of data breaches, 38,800 compared with the worldwide average of 25,500. The healthcare industry suffered a 60% higher cost than any other industry.
What Are the Chances of Suffering from a Data Breach?
The chances are increasing. In 2018 there was a 27.9% likelihood which increased to 29.6% in 2019. Compared with 2014, it is almost 33% more probable that a business will experience a data breach within a 2-year period.