IBM Study: “Hidden costs of data breaches increase expense for businesses”

IBM Security has published the results of a global study examining the full financial impact of a data breach on a company’s bottom line. Overall, the study found that hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage. For example, the study found that one-third of the cost of “mega breaches” (ie episodes where over one million records are lost) was derived from lost business.

Sponsored by IBM Security and conducted by The Ponemon Institute, the 2018 Cost of a Data Breach Study found that the average cost of a data breach globally is $3.86 million. That’s a 6.4% increase from the 2017 report.

Based on in-depth interviews with nearly 500 companies that experienced a data breach, the study analyses hundreds of cost factors surrounding a breach, from technical investigations and recovery to notifications, legal and regulatory activities, as well as the cost of lost business and reputation.

This year, and for the first time, the study also calculated the costs associated with the aforementioned “mega breaches”, duly projecting that these breaches cost companies between $40 million and $350 million respectively.

“While highly-publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. “The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover and operational costs. Knowing where the costs lie, and how to reduce them, can help companies to invest their resources more strategically and lower the huge financial risks at stake.”

Calculating the cost of a “mega breach”

In the past five years, the amount of “mega breaches” has nearly doubled from just nine episodes in 2013 to 16 in 2017. Due to the small number of “mega breaches” in the past, the Cost of a Data Breach study historically analysed data breaches of around 2,500 to 100,000 lost records.

Based on analysis of 11 companies experiencing a “mega breach” over the past two years, this year’s report uses statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records. Key findings include the following:

*Average cost of a data breach of one million compromised records is nearly $40 million

*At 50 million records, the estimated total cost of a breach is $350 million

*The vast majority of these breaches (ten out of 11, in fact) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)

*The average time to detect and contain a “mega breach” was 365 days – almost 100 days longer than a smaller scale breach (266 days)

For “mega breaches”, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size.

IBM analysed the publicly reported costs of several high-profile “mega breaches” and found the reported numbers are often less than the average cost found in the study. This is likely to be due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees and reparations to customers.

What impacts the average cost of a data breach?

For the past 13 years, The Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study. The average cost of a data breach was $3.86 million in the 2018 study compared to $3.50 million in 2014 – representing nearly a 10% net increase over the past five years of the study.

The study also examines factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.

The average time to identify a data breach in the study was 197 days, while the average time to contain a data breach once identified was 69 days. Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million versus $4.25 million average total)

The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average. The study examined several factors which increase or decrease this cost. Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record. The use of an Artificial Intelligence (AI) platform for cyber security reduced the cost by $8 per lost or stolen record. Companies that indicated a “rush to notify” had a higher cost by $5 per lost or stolen record.

The report examined the effect of security automation tools which use AI, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organisations with extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million compared to $4.43 million for those who had not deployed security automation.)

Regional and industry differences

The study also compared the cost of data breaches in different industries and regions, finding that data breaches are the costliest in the US and the Middle East and least costly in Brazil and India. US companies experienced the highest average cost of a breach at $7.91 million, followed by the Middle East at $5.31 million. The lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.

One major factor impacting the cost of a data breach in the US was the reported cost of lost business, which was $4.2 million – more than the total average cost of a breach globally and more than double the amount of “lost business costs” compared to any other region surveyed.

One major factor impacting lost business costs is customer turnover in the aftermath of a breach. in fact, a recent IBM/Harris Poll report found that 75% of consumers in the US say that they will not do business with companies whom they don’t trust to protect their data.

For the eighth year in a row, healthcare organisations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average ($148).

“The goal of our research is to demonstrate the value of good data protection practices and the factors that make a tangible difference in what a company pays to resolve a data breach,” said Dr Larry Ponemon, chairman and founder of The Ponemon Institute. “While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs.”

How the main costs of breaches can be avoided

Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, commented: “I would probably highlight loss of business as a main, albeit long-term cost of a data breach. New customers may hesitate to work with you, while old customers can simply refuse to renew their contracts. The second pillar of costs are legal expenses, fines and penalties imposed by regulatory authorities, often aggravated by individual and class-action lawsuits the victims may have against the breached company.”

He added: “Last, but not least, breach investigation and remediation can be quite expensive and require partial shutdown of operations and interruption of business-critical processes. Even worse, you never know how long the impact will last. In some cases, people may quickly forget about the incident, but in others it can take literally decades to expunge negative memories and stereotypes.”

How can AI, machine learning, analytics and orchestration be used to mitigate breaches or prevent them? “AI technologies are mainly used for intelligent automation and acceleration of various complicated tasks and processes,” observed Kolochenko.” However, per se, AI isn’t a panacea and worth virtually nothing if not applied correctly. Most of the breached companies failed not because of bad technologies they use, but due to their overall lack of coherent cyber security strategy. Many large companies don’t even have an up-to-date and comprehensive inventory of their digital assets with business-critical data, let alone properly implemented continuous security monitoring and anomaly detection. Cyber security should start with an holistic risk assessment and coherent risk mitigation strategy, not with a particular technology that may be unsuitable for your company, people or processes.”

What are the most useful data protection practices that organisations can put into practice to minimise damage/cost of breaches? “Organisations need to build a comprehensive and up-to-date inventory of all their digital assets,” urged Kolochenko. “That includes software, hardware, users, data and licenses. Then they must assess and prioritise the risks and threats to these assets. Once done, a risk-based cyber security roadmap should be launched and continuously measured. Speaking about particular technologies, I’d certainly emphasise continuous security monitoring, anomaly detection, strong authentication and role-based access control with the four-eyes principle.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts