Data breaches can be costly for an organization in terms of lost or stolen data, customer mistrust, legal investigations, and recovery efforts. As a result, the sheer financial costs of a data breach can severely weaken or damage a company. Over the past five years, the cost of data breaches has shot up 12% and now average $3.92 million per business. Those rising expenses are due to a variety of factors, such as the multiyear financial impact of breaches, increasing regulation, and the challenge of resolving attacks by cybercriminals, according to a study released Tuesday by IBM Security.
Sponsored by IBM Security and conducted by the Ponemon Institute, the annual Cost of a Data Breach Report culled its data from interviews with more than 500 companies around the world that were hit by a data breach over the past year. The overall analysis encompasses hundreds of different cost factors, including legal expenses, regulatory demands, technical activities, the loss of brand equity, the loss of customers, and the toll on employee productivity.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
The financial impact of a data breach can devastate companies of all sizes but especially small and mid-sized businesses. The study found that organizations with fewer than 500 employees were hit by losses of more than $2.5 million on average, a sizable amount for businesses with average annual revenue of $50 million.
The expenses triggered by data breaches don’t simply go away after a few months or a year. The study found that on average 67% of data breach costs were felt the first year, but 22% were accrued in the second year and another 11% more than two years after a breach.
IBM also analyzed the financial impact from breaches caused by malicious actors and cybercriminals versus those triggered by system glitches and human error. Malicious breaches accounted for 51% of the breaches examined in the study, while those arising from technical glitches and human error accounted for 49%. However, malicious breaches cost companies much more finanically, around $4.45 million on average. Breaches triggered by system glitches and human error cost businesses $3.5 million and $3.24 million, respectively.
Globally, data breaches proved more costly in the US at around $8.19 million, more than double the average for other countries. Organizations in the Middle East were hit by the highest average number of breached records with nearly 40,000 records per incident, compared with a global average of around 25,500 records. Healthcare organizations examined in the study suffered the highest costs associated with a data breach at almost $6.5 million, 60% higher than for other industries on average.
“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services, said in a press release. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line — and focus on how they can reduce these costs.”
Data breaches do remain a threat for any company, and the resulting financial costs can be sizable. But there are actions that organizations can take to lessen the financial impact, as outlined in the report.
- Establish an incident response team. Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than did those that had neither measure in place.
- Invest in the right security training, testing services, and technology. Breaches caused by technical glitches or human error represent a learing opportunity. Organizations should focus on such efforts as security awareness training for staff, technology investments, and testing services to identify accidental breaches before they occur. One area of concern mentioned in the report is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018.
- React to a data breach with the necessary speed and efficiency. The study found that the speed and efficiency at which a company responds to a breach can significantly reduce the overall costs. Businesses that were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total costs of the breach.
- Deploy security automation technologies. Companies that deployed security automation technologies experienced around half the cost of a breach ($2.65 million average) compared to those without such technologies ($5.16 million average).
- Use data encryption. The extensive use of encryption reduced the total cost of a breach by $360,000.
- Vet third parties. Breaches that originated from a partner or supplier cost companies $370,000 more than the average amount. That puts the onus on businesses to closely vet the security of their supply chain partners, make sure security standards are in alignment, and actively monitor third-party access.