Close-up of a businesswoman examining accounts with magnifying glass showing cost of a data breach

What Is the Real Cost of a Data Breach? New Report Indicates It’s About $4 Million to $9 Million for SMEs

There is a growing understanding across all types of organizations that the cost of data breaches often far exceeds the cost of preventive measures. However, there is still some fuzziness as to exactly what the total bill will be given various long-term effects that are hard to quantify.

One of the few good measures of this available is the annual Cost of a Data Breach Report, sponsored by IBM and conducted independently by the Ponemon Institute. The most recent edition has just been published and puts the average cost of a data breach at $3.86 million globally, with that number ranging as high as $8.64 million depending on location, industry and other risk factors.

Pinpointing the true cost of a data breach

This year’s Ponemon study was based on 524 recent breaches (August 2019 to April 2020) across 17 regions and 17 industries. This is the 15th year the report has been conducted, and it focuses on interviewing IT and cybersecurity specialists at breached organizations to learn about breach causes, containment measures and expenses. This study is aimed at small to medium-size businesses, limiting the total record count of each eligible breach to 99,730 and separating “mega breaches” out to a different study.

Key findings include that the most expensive place in the world to experience a data breach is the United States, where the average total cost is $8.64 million — more than double the global average. And the most expensive industry to be in is healthcare, where breach cleanup costs $7.13 million on average. Breaches also tend to take a very long time to identify and contain; the global average currently sits at 280 days, though research indicates that breaches must be contained within 30 days to experience a substantial overall cost savings.

The personally identifiable information (PII) of customers is the most expensive item to lose in a breach, estimated at a recovery cost of about $150 per record. If the breach is caused by a malicious attack rather than some sort of oversight (such as an unsecured database discovered by a security researcher), that average cost per record rises to $175. Anonymizing customer data only reduces this average cost by several dollars per record in both cases. Corporate data and intellectual property were not far behind at average costs per record of $149 and $147 respectively.

Malicious attacks are also much more common than breaches due to employee or contractor error, at a rate of 52% to 23% (system glitches caused the remaining 25%). Of those malicious breaches, 19% were caused by stolen credentials (as happened in the recent Twitter hack). 53% of these were caused by profit-minded criminals, but the most expensive overall breach type is the nation-state actor attack that represents 13% of all known sources. Among breaches caused by some sort of human error, cloud misconfigurations (14%) were the most common cause.

What exactly are the associated expenses of a data breach? The Ponemon study determines the cost of data breaches by using a list of 17 factors that include detection and crisis management response, required notifications, customer service for affected parties and long-term loss of business. The largest of these expenses is lost business, which averages $1.52 million in the wake of a breach. Detection and escalation averages $1.1 million, ex-post response averages just short of $1 million and notifications cost companies just short of a quarter of a million dollars.

The cost savings of preventive measures

So how do security measures stack up against the total cost of data breaches? The Ponemon study offers some useful data in this area as well.

Organizations that had fully deployed security automation measures (technologies based on machine learning and AI that come to recognize abnormal patterns of behavior and execute security actions accordingly) saw an average savings of $3.58 million in data breach costs over organizations that had no form of security automation put in place.

Incident response teams and testing are also another major expense mitigator. Organizations with these teams and procedures in place saved $2 million as compared to those that did not. Successful teams include those that deployed tools to help protect and monitor endpoints and remote employees.

And on the subject of remote employees, the Ponemon study found an expected increase of $137,000 in total data breach costs directly as a result of greater work-from-home implementation during the COVID-19 pandemic months that were covered (March and April 2020). Organizations have tended to anticipate this, with 70% of respondents saying that they expected the cost of data breaches to increase while COVID-19 remote work policies were in place.

Organizations have also responded to the expected financial impacts with enhanced security measures; primarily unified endpoint management (UEM) and identity and access management (IAM) products that allow for enhanced visibility into threats emerging from employee devices. James Tedman, Partner for Cyber Security, Privacy and Risk at ACA Aponix, added:  “Companies can reduce the security risks of home working by isolating corporate data and networks from vulnerable personal technology solutions. There are different ways to achieve this – either by mandating the use of corporate managed solutions (laptops, mobile phones, etc.) or through deploying solutions to personal devices that allow organization’s applications and data to be secured within a software container designed to prevent malware infection, breached access and data loss … Firms should provide their staff with technology to them to work from home productively to avoid the risk of ‘Shadow IT’ – seeking alternative non-approved solutions that could compromise the security of the organization. For example, providing staff with additional screens and collaboration tools will reduce the incentive to use personal devices and non-secure email or instant messaging platforms.”