IBM Security study highlights 12% escalation in data breach costs post-2014

IBM Security has announced the results of its annual study examining the financial impact of data breaches on today’s organisations. According to the report, the cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.

The financial consequences of a data breach can be particularly acute for SMEs, of course. In the IBM Security study, those companies with less than 500 employees suffered losses of more than $2.5 million on average – a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenues.

For the first time this year, the report also examined the ‘long tail’ financial impact of a data breach, finding that the effects of such a breach are felt for years. While an average of 67% of data breach costs were realised within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach episode. The ‘long tail’ costs were higher in the second and third years for organisations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.

“Cyber crime represents big money for cyber criminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. “With organisations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line and focus on how they can reduce these costs.”

Top report findings

Sponsored by IBM Security and conducted by The Ponemon Institute, the annual ‘Cost of a Data Breach Report’ is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis takes into account hundreds of cost factors including legal, regulatory and technical activities through to loss of brand equity, customers and employee productivity.

Some of the top findings from this year’s report include the following:

*Malicious breaches most common, most expensive: Over 50% of data breaches in the study resulted from malicious cyber attacks and cost companies $1 million more on average than those originating from accidental causes

*’Mega breaches’ lead to mega losses: While less common, breaches of more than one million records cost companies a projected $42 million in losses and those of 50 million records are projected to cost companies $388 million

*Practice makes perfect: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place

*US breaches cost double: The average cost of a breach in the US is $8.19 million, which is more than double the worldwide average

*Healthcare breaches cost the most: For the ninth year in a row, healthcare organisations had the highest cost of a breach – nearly $6.5 million on average (which is over 60% more than other industries in the study)

Malicious breaches pose growing threat

The study found that data breaches which originated from a malicious cyber attack were not only the most common root cause of a breach, but also the most expensive.

Malicious data breaches cost companies in the study $4.45 million on average  over $1 million more than those originating from accidental causes such as system glitches and human error. These breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (representing a 21% increase).

That said, inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively. These breaches from human and machine error represent an opportunity for improvement which can be addressed through security awareness training for staff, technology investments and testing services to identify accidental breaches early on.

One particular area of concern is the misconfiguration of cloud servers which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year according to the IBM X-Force Threat Intelligence Index.

Breach response remains biggest cost saver

For the past 14 years, The Ponemon Institute has examined factors that increase or reduce the cost of a breach and has found that the speed and efficiency at which a company responds to a breach has a significant impact on the overall cost.

This year’s report found that the average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.

A focus on incident response can help reduce the time it takes companies to respond. The study found that these measures also had a direct correlation with overall costs. Having an incident response team in place and extensive testing of incident response plans were two of the greatest cost-saving factors examined in the study. Companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million versus $4.74 million).

Additional factors impacting the cost of a breach for companies in the study included:

*Number of compromised records: Data breaches cost companies around $150 per record that was lost or stolen

*Companies that fully deployed security automation technologies experienced around half the cost of a breach ($2.65 million on average) compared to those that didn’t have these technologies deployed ($5.16 million on average)

*Extensive use of encryption was also a top cost saving factor, reducing the total cost of a breach by $360,000

*Breaches originating from a third party – such as a partner or supplier – cost companies $370,000 more than average, in turn emphasising the need for companies to closely vet the security of the companies with whom they do business, align security standards and actively monitor third-party access

Response from the industry

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, commented: “I think that the true aggregated costs of a data breach are considerably higher than the numbers from this alarming report. It’s often impossible to measure damages in a reliable and certain manner due to their ongoing effect and indirect nature. Frequently, companies calculate immediate and direct losses only, likewise omitting impending legal costs and penalties that may take years to arrive in the accounting books.”

Kolochencko added: “Cyber criminals also become more sophisticated and continuously explore new avenues to wisely exploit the stolen data to make more money. Worse still, modern companies collect incrementally more data on their clients, thereby skyrocketing the potential costs of a data breach. With the recent headlines on proposed fines for British Airways, Equifax and Marriott International, we’re observing an iron fist from the regulatory agencies towards hacked companies. In light of such unprecedented appetites by those authorities, it wouldn’t be unreasonable to suggest that upcoming security incidents will cost tremendously more than they do today.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts