Around the world, the cost of a data breach continues to rise, according to the latest annual report conducted by the Ponemon Institute and sponsored by IBM Security. As the 2019 “Cost of a Data Breach” report points out, the cost of a data breach is now $3.92 million on average – but that figure could be much higher for companies and organizations that fail to detect, identify and mitigate a data breach as quickly as possible.
Key findings of the “Cost of a Data Breach” report
If there is one big takeaway from the IBM-Ponemon “Cost of a Data Breach” report, it’s that the financial impacts of data breaches (both malicious cyber attacks and accidental breaches caused by human error) are becoming more serious with each passing year. The $3.92 million figure is 12 percent higher than it was just five years ago. For a small business, this multi-million-dollar amount could be crippling, and might eventually lead to the demise of the business.
The “Cost of a Data Breach” report also makes the very important point that the companies in the study often reported financial impacts from the data breach two, three and even four years after the initial breach was detected. In part, this is due to the loss of business and a decline in business reputation. And, in part, this is due to all the remedies that need to be put into place, such as upgrading IT systems or installing a better layer of security around the digital perimeter of the company. In general, says the report, two-thirds (67%) of the costs are borne in Year 1, followed by 22 percent in Year 2, and 11 percent in the following years.
Even though this marks the 14th year that this report has been published, it marks the first year that the report attempts to segment the total cost of a data breach. There are four core cost categories, according to the security researchers. As might be expected, the highest costs are related to “lost business.” In the event of a high-profile cyber attack, a company might be forced to go offline for days, or to resort to manual operations until the source of the data breach has been identified. The other three cost categories include detection, notification and post-breach cleanup costs.
The rise of the mega-data breach
Throughout the report, the security researchers attempt to give an idea of how the cost of a data breach can differ not only by type of industry and geography, but also by organization size and the actual size of the data breach itself. Thus, the most expensive industry for a data breach is the healthcare industry, which is perhaps not surprising, given the extraordinary amount of personal information and data that is contained within medical records. And the most expensive nation to suffer a data breach is the United States, where the cost of a data breach is now a whopping $8.19 million, nearly two times the global average of $3.92 million. This is also a slight increase over the previous year, when the average cost of a U.S. data breach was $7.91 million.
Given the current media attention given to data breaches at some of the world’s largest companies, the IBM-Ponemon report also delves into the cost of a mega-data breach. Generally speaking, a mega-data breach involves more than 1 million records. Here, the cost of a data breach is $42 million. For mega-data breaches that involve more than 50 million records, the cost of a data breach is a staggering $388 million.
George Wrenn, Founder and CEO of CyberSaint Security, comments on the growing awareness of the “mega-breach” problem: “What we’re seeing is that executive management is taking a greater interest in cybersecurity to the point of the ‘mega-breaches’ listed in the report. While yes more uncommon, they are critical to avoid at all costs, sometimes at the risk of the entire business. As the report states regarding an enterprise-wide approach to cybersecurity – strong awareness and a robust cybersecurity program can significantly reduce the cost of a data breach if and when it does happen.”
The elongation of the data breach lifecycle
The IBM-Ponemon report also importantly underscores the growing length of time it takes many companies to identify and detect a cyber threat, and then put into action the proper incident response plan. Even in a day and age when IT security issues are front and center with many large organizations (especially healthcare organizations), thanks to the constant deluge of stories about high-profile data breaches in the media, it still takes companies an extraordinarily long period of time to identify and contain a threat. The IBM-Ponemon security researchers refer to this as the data breach lifecycle, and it is a valuable metric for determining just how strong the incident response team of an organization really is. Currently, the average length of a data breach lifecycle is 279 days, or slightly more than 9 months. This figure has increased 4.9% from the figure of 266 days in 2018.
Not surprisingly, the cost of data breaches increased also during the past 12 months. It doesn’t take an IT security genius to figure out that, the longer a data breach is allowed to fester and go uncontained, the higher will be the cost of the data breach. In short, when it comes to data breach costs, time is money. Once the data breach life cycle passes the 200-day point, companies can expect the average cost of a data breach to go up by $1.23 million.
Possible cost mitigation for data breaches
With that in mind, the report does provide a summary of how to limit the damage of any IT data breach that could cost companies millions of dollars. The report outlines the various “cost amplifiers” of a data breach before examining some of the “cost mitigators.” Several of the ways to reduce the cost of a data breach include the following: putting into place a better incident response plan; using encryption to protect records and sensitive data; sharing threat intelligence with the relevant authorities; and using security automation technologies that make it possible to hunt for possible threats on a 24/7 basis.
With the cost of a data breach increasing steadily over time, companies and organizations now have a very real responsibility to take IT cyber security more seriously. Now that the cost of a data breach is almost $4 million, it’s incumbent upon senior management, top C-level executives and board members to make the data security of their organization a key strategic priority.