Data breaches may be more costly than business leaders think. Today's incidents come with hidden costs such as lost business and customers, as well as employee expenses to recover from breaches, according to the 2018 Cost of a Data Breach Study from IBM Security and the Ponemon Institute. The global study is based on interviews with more than 2,200 individuals in 477 organizations.
Typically, damage estimates for data breaches focus on easily quantifiable costs, says Wendi Whitmore, global lead for IBM's X-Force Incident Response and Intelligent Services. But that doesn't account for reputational damage, customer loss, and operational costs. "Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," she explains.
How costly? The global study estimates the average data breach costs $3.86 million, up 6 percent from the 2017 study. That works out to $148 per compromised record.
"Mega-breaches" involving more than 1 million lost records — think Equifax, Uber, and Yahoo — may cost organizations between $40 million and $350 million. The number of such breaches has nearly doubled from nine in 2013 to 16 in 2017, the study notes.
Most of those breaches were caused by malicious and criminal attacks. Worse yet, it takes one year on average to detect and contain a mega-breach, about 100 days longer than the small-scale breaches.
As with mega-breaches, malicious and criminal attacks are the biggest cause of data breaches, accounting for nearly half of incidents. The culprits are both hackers and criminal insiders.
Moreover, these attacks are more costly than other causes — $157 per record compared to $131 for a systems problem or $128 for human error. Malicious attacks were most common in the Middle East, France, and the U.S.
Consumers Losing Trust
The cost of a data breach is affected by many factors. For starters, the more records that are compromised, the greater the cost. Organizations that lost less than 10,000 records paid $2.1 million on average. The average total cost for organizations that lost more than 50,000 records was $5.7 million.
But the real cost may be lost customer trust. Three-fourths of U.S. consumers say they won't do business with companies if they don't trust them to safeguard their data, according to a recent IBM/Harris poll.
That sentiment is reflected in the survey data. An organization that lost more than 4 percent of its existing customers due to an incident lost $4.9 million on average compared to $2.7 million for organizations that lost less than 1 percent.
U.S. organizations suffer the most from customer losses due to breaches. For these organizations, the average cost of lost business ($4.2 million) exceeds the total average cost of a data breach. Moreover, U.S. organizations pay nearly twice as much for customer loss than organizations in any other part of the world.
Taking steps to address customer trust may mitigate the impact of a data breach. The study notes that organizations with a senior-level leader directing efforts to improve customer trust lose fewer customers. Similarly, offering breach victims identity protection services can stem customer loss.
Incident Response Is Key
The most crucial factor in minimizing the cost of a data breach is the ability to respond to an incident quickly. In the study, the mean time to identify a breach was 197 days, with an additional 69 days needed to contain it. However, organizations that contained a breach within 30 days saved more than $1 million per incident. The study attributes the high response time to "the increasing severity of criminal and malicious attacks."
Detection and escalation activities include forensics, investigations, assessment and audits, crisis management, and communications to senior management and the board. Response activities include help desk activities, addressing external inquiries, investigations, remediation, legal expenses, providing identity protection services to individuals, and communications with regulators.
Having an incident response team in place generates the greatest cost savings, reducing the cost of an incident by $14 per record. Other factors that can reduce per-incident costs are extensive use of encryption, business continuity management, and employee training.
Conversely, a breach caused by a third party adds the most to the cost of an incident. Other factors that raise costs are a breach that occurs during an extensive migration to a cloud service, compliance failures, and heavy use of mobile platforms.
Are You Next?
Knowing what's at stake, organizations may be curious about their likelihood of suffering a data breach. That all depends on how many records are involved.
The study notes that the likelihood of a breach declines as the number of compromised records increases. The probability of a data breach involving 10,000 records is 28 percent over the next 24 months. For breaches affecting 100,000 records, it is 1.5 percent.
Location matters, as well. Organizations in Brazil, France, and South Africa are most likely to have a data breach in the next 24 months, the study estimates based on past trends. German and Australian organizations are the least likely to have a breach.