How Much Does a Data Breach Cost? Reading the 2018 Cost of a Data Breach Study
How much does a data breach cost?
It isn't a simple question, but the answer is the only way to transmit the urgency of the situation to C-level executives.
FREE role-guided training plans
The 2018 Cost of a Data Breach Study, the 2018 edition of the annual study sponsored by IBM Security and conducted by the Ponemon Institute, provides us an interesting evaluation for the total cost of security breaches.
For the first time, the study analyzed the costs associated with breaches ranging from 1 million to 50 million lost records.
The first information that emerges from the study is that the average cost of a data breach is $3.86 million, but mega-incidents affecting more than 1 million records are far more expensive.
Figure 1 - Global cost of data breaches
The study revealed that the average total cost of a breach ranges from $2.2 million (for incidents with fewer than 10,000 compromised records) to $6.9 million (for incidents with more than 50,000 compromised records).
Massive security breaches have a cost ranging from $40 million for 1 million records lost to $350 million for 50 million records lost.
A data breach involving 50 million records, for example, would result in a total cost of $350.44 million.
Figure 2 - Average total cost by size of data breaches
The researchers confirmed that the average cost for companies has increased by 6.4% from last year.
While the cost of a data breach increased for organizations in 13 countries compared to the five-year average, experts pointed out that it has decreased in Brazil and Japan.
The majority of security breaches, roughly 48%, are caused by malicious or criminal attacks. The related cost per capita is at $157.
Other causes are human error (27%) with a cost of $131 per capita and system glitches (25%) with $128 per capita.
"This year we found that the average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages," reads the report.
"The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent.
"The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent
"The average size of the data breaches in this research increased by 2.2 percent."
According to the study, while several factors influence the overall cost of an incident, third-party involvement is the most significant.
"If a third party caused the data breach, the cost increased by more than $13 per compromised record for an adjusted average cost of $161, up from $148 per record," the report states.
"Organizations undergoing a major cloud migration at the time of the breach saw the cost increase to per capita cost by $12, for an adjusted average cost of $160, up from $148 per record."
For the first time this year, the experts also evaluated the influence of two new cost factors: security automation and the extensive use of Internet of Things (IoT) devices.
Figure 3 - Factors that influence the cost of data breaches
The study revealed that that reputational damages caused by a data breach could have significant impact on the victims, and experts are able to calculate them.
Reputational damage could put a company out of the market because it would be considered untrustworthy by business partners.
Companies that lost less than one percent of their customers as a result of a security breach faced an average total cost of $2.8 million. Experts estimated that if four percent or more was lost, the average total cost was $6 million.
The study revealed that data breaches are the costliest in the United States and the Middle East, while these kinds of incidents are least costly in Brazil and India.
The analysis of cost per geographic area revealed that the average total cost in the United States was $7.91 million and in the Middle East was $5.31 million, while it was $1.24 million in Brazil and $1.77 million in India.
Another piece of bad news for Americans: they faced the highest average per-capita costs at $233, followed by Canada with $202.
Some costs, like notifications, are the highest in the United States. They include all activities to manage data breach notifications such as the management of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication setups.
In the U.S. the notification costs for organizations are the highest at $740,000, while in India they are the lowest at $20,000.
Which Sectors Have the Highest Cost for a Data Breach?
For the 8th year in a row, the healthcare sector had the highest costs associated with data breaches. The average cost for a lost or stolen healthcare record was $408, three times higher than the cross-industry average ($148).
Follow in the ranking, the financial and services industries with a cost of $206 and $181 respectively.
Figure 4 - Cost of data breaches per sector
How Can Companies Reduce Data Breach Costs?
According to the study, the mean time to identify a breach is still high — roughly 197 days — while the mean time to contain a breach is 69 days.
Companies that were able to identify a security breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve the problem.
The researchers highlighted that businesses can reduce the potential cost of a data breach by adopting proper strategies. For example: the establishment of incident response teams and the extensive use of encryption.
"In this year's research, an incident response (IR) team reduced the cost by as much as $14 per compromised record. Hence, companies with a strong IR capability could anticipate an adjusted cost of $134, down from $148 per record," continues the study.
"Similarly, the extensive use of encryption reduced cost by $13 per capita, for an adjusted average cost of $135, down from $148 per record."
Data reported in the 2018 Cost of a Data Breach Study confirms that the United States and the Middle East spend the most on post-data-breach response.
The report also analyzed the indirect costs for a data breach that include employees' time, effort, and other organizational resources spent notifying victims and investigating the incident, as well as the loss of goodwill and customer churn.
The United States had the highest indirect per-capita cost at $152, followed by Canada at $116.
Figure 5 - Direct and Indirect costs of data breaches
Another interesting novelty of the report published this year is that for the first time, the researchers analyzed the effects of organizations adopting AI and IoT devices as part of their security strategies.
The adoption of AI security platforms could allow companies to save money — the researchers estimated an average of $8 per compromised record. Machine-learning systems, analytics and orchestration are essential support for human activities in identifying and mitigating the security breaches at an early stage.
The most worrisome data unearthed by the analysis is that only 15 percent of companies surveyed had fully deployed an AI system for the protection of their infrastructure.
"This year for the first time, the report examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach," states the study.
"The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation.)"
Another factor that influences the cost of the data breach is the use of IoT devices. Businesses that extensively use this family of devices pay $5 more per compromised record on average.
The researchers also published a data breach calculator to allow users to explore the industry, location and cost factors in case they are affected by a security incident.
Sources
Cost of a Data Breach, IBM Security
2018 Cost of a Data Breach Study by Ponemon, IBM
Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT, Security Intelligence
2018 Cost of a Data Breach Global Overview, IBM Security
What should you learn next?
IBM Study: Hidden Costs of Data Breaches Increase Expenses for Businesses, IBM News Room
In this Series
- How Much Does a Data Breach Cost? Reading the 2018 Cost of a Data Breach Study
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security