The average cost of a data breach is $3.86 million globally. That is a 6.4 percent increase from 2017, a newly released report revealed.
The Cost of a Data Breach 2018 conducted by Ponemon Institute and sponsored by IBM Security found the cost of data breaches on a business’ bottom line has been steadily increasing over the past five years. The report is based on in-depth interviews with nearly 500 companies who experienced a data breach in the past year, and analysis from data breaches of around 2,500 to 100,000 stolen records, IBM explained.
According to the report, a data breach is calculated based on activity-based costing, a methodology that “identifies activities and assigns a cost based on actual use,” the report stated. Factors that impact the cost of a data breach include: unexpected loss of customers, size of breach, time it takes to detect and respond and management.
“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs.”
The 2018 report also looks at mega breaches for the first time. A mega breach, according to IBM, ranges from 1 million to 50 million records lost, costing companies between $40 million and $350 million in losses. The report found that the amount of mega beaches has almost doubled in the last five years.
Ponemon Institute analyzed 11 companies who experienced mega breaches within the past two years and found the average cost of a mega breach consisting of 1 million lost records is $40 million while 50 million compromised records is $350 million. Ten out of 11 of the companies reported the breaches came from malicious and criminal attacks rather than glitches or human errors. Additionally, the report found the average time to detect and contain a mega breach is 365 days. “For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size,” IBM wrote in an announcement.
For data breaches of 100,000 compromised records or less, the report found data breach costs are heavily associated with the time it spends to contain a data breach as well as the investment into technologies that speed up response time, IBM explained. The report found the average time to identify a breach is 197 days, and 69 days to contain the breach.
Other findings included: It costs $148 on average per lost or stolen record and the likelihood of a organization suffering from another breach in the next two years is about 28 percent.
“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS). “The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”