Data Breach Costs Are on the Rise

Data Breach Costs Are on the Rise
IBM

IBM Security announced the results of its annual study examining the financial impact of data breaches on organizations. According to the report, the cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.

The financial consequences of a data breach can be particularly acute for small and midsize businesses. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average, a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.

For the first time this year, the report also examined the longtail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The longtail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.

The annual Cost of a Data Breach Report is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity. Over 50% of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.

While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million. Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 millionless in data breach costs on average than those that had neither measure in place. The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.

For the 9th year in a row, healthcare organizations had the highest cost of a breach, nearly $6.5 million on average (over 60% more than other industries in the study). The study found that data breaches which originated from a malicious cyberattack were not only the most common root cause of a breach, but also the most expensive.

Malicious data breaches cost companies in the study $4.45 million on average, over $1 million more than those originating from accidental causes such as system glitch and human error. These breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (a 21% increase).

That said, inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively. These breaches from human and machine error represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on. One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year.

This year's report found that the average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.