Security

Data breach costs are dropping, but still $3.62 million on average, report says

The global business cost of a data breach dropped 10% from last year, but rose in the US, according to a new study from IBM Security and the Ponemon Institute.

Financial losses from data breaches may be starting to drop: The average cost of a data breach worldwide is now $3.62 million, down 10% from last year, according to a new study from IBM Security and the Ponemon Institute.

This marks the first decline measured since the global study was instituted, according to a press release.

Data breaches cost companies an average of $141 per lost or stolen record, the report found. However, the cost of breaches vary by region: European countries, which have recently imposed new regulatory requirements, saw a 26% decrease in the total cost of a data breach over last year's results. Meanwhile, in the US, where 48 out of 50 states have their own data breach laws, the average cost of a breach increased 5% this year, to $7.35 million. Businesses in the Middle East, Japan, South Africa, and India also experienced increased costs in 2017, the report found.

US businesses suffered the most expensive data breaches globally in 2017, the report found. Compliance failures and rushing to notify were among the top reasons why the cost of a breach rose—suggesting that US regulations could cost businesses more per record when compared to Europe, the press release noted. For instance, the release said, compliance failures cost US businesses 48% more than European ones. And US companies reported paying more than $690,000 on average for notification costs related to a breach—more than double that of any other country included in the report.

SEE: Information Security Management Fundamentals (TechRepublic Academy)

"New regulatory requirements like GDPR in Europe pose a challenge and an opportunity for businesses seeking to better manage their response to data breaches," said Wendi Whitmore, global lead, IBM X-Force Incident Response & Intelligence Services (IRIS), in the press release. "Quickly identifying what has happened, what the attacker has access to, and how to contain and remove their access is more important than ever. With that in mind, having a comprehensive incident response plan in place is critical, so when an organization experiences an incident, they can respond quickly and effectively."

Companies with an Incident Response (IR) team in place experienced significantly fewer costs after a data breach, and saved more than $19 per lost or stolen record, the report found. "The speed at which a breach can be identified and contained is in large part due to the use of an IR team and having a formal Incident Response plan," the release stated. Encryption and education were also shown to reduce costs of a security incident, the report found.

How rapidly a company could contain a data breach also had a direct impact on its financial costs, the report found, with the cost of a breach dropping by nearly $1 million for those that could contain it in less than 30 days, compared to those who took more time. However, on average, companies took more than six months to identify a breach, and more than 66 days on top of that to contain it.

In terms of industry, healthcare breaches were the most expensive, costing organizations $380 per record—more than 2.5 times the global average across industries, IBM noted.

Third party involvement in a data breach was the top factor leading to an increase in costs of the breach, the report found. "Organizations need to evaluate the security posture of their third-party providers - from payroll to cloud providers to CRM - to ensure the security of employee and customer data," according to the press release.

Researchers interviewed more than 410 companies in 13 regions to build the report.

"Data breaches and the implications associated continue to be an unfortunate reality for today's businesses," said Dr. Larry Ponemon. "Year-over-year we see the tremendous cost burden that organizations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization's overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services."

istock-586178494.jpg
Image: iStockphoto/VladislavStarozhilov

The 3 big takeaways for TechRepublic readers

1. The average cost of a data breach for companies globally dropped from $4 million in 2016 to $3.62 million this year, according to a new study from IBM Security and the Ponemon Institute.

2. US businesses experienced the most expensive data breaches in 2017, due in large part to compliance failures and rushing to notify employees and authorities.

3. Companies with an Incident Response team in place experienced significantly fewer costs after a data breach, as did those who could contain the breach within 30 days.

Also see

About Alison DeNisco

Alison DeNisco is a Staff Writer for TechRepublic. She covers CXO and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox