Hidden Costs of Data Breaches Increase Expenses for Businesses

Hidden Costs of Data Breaches Increase Expenses for Businesses
Depositphotos

IBM Security announced the results of a global study examining the full financial impact of a data breach on a company's bottom line. Overall, the study found that hidden costs in data breaches, such as lost business, negative impact on reputation and employee time spent on recovery, are difficult and expensive to manage.

Sponsored by IBM Security and conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study found that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from the 2017 report. Based on in-depth interviews with nearly 500 companies that experienced a data breach, the study analyzes hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

This year for the first time, the study also calculated the costs associated with "mega breaches" ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 millionrespectively. In the past five years, the amount of mega breaches has nearly doubled from just nine in 2013, to 16  in 2017. Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records.

Based on analysis of 11 companies experiencing a mega breach over the past two years, this year's report uses statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records. Average cost of a data breach of 1 million compromised records is nearly $40 million dollars while at 50 million records, estimated total cost of a breach is $350 million dollars.

The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error). The average time to detect and contain a mega breach was 365 days, almost 100 days longer than a smaller scale breach (266 days).

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records - almost a third of the total cost of a breach this size. IBM analyzed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study.

The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days. Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total). The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average.

This year for the first time, the report examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach. For the 8th year in a row, Healthcare organizations had the highest costs associated with data breaches costing them $408 per lost or stolen record, nearly three times higher than the cross-industry average ($148).