The 2017 Cost of Data Breach Study, the industry’s gold-standard benchmark research, was released last week. Sponsored by IBM Security and independently conducted by Ponemon Institute, the study explores the implications and effects of data breaches on today’s businesses both globally as well as within the U.S.
Ponemon Institute researchers interviewed IT, compliance and information security practitioners representing 419 organizations across 12 countries, reporting for the first time since the global study was created that there has been an overall decrease in the cost of a data breach – with the average cost at $3.62 million globally, a 10% decline from 2016 results due in large part to a strong U.S. dollar, the study found.
The average cost for each lost or stolen record containing sensitive and conﬁdential information also signiﬁcantly decreased from $158 in 2016 to $141 in this year’s study. Despite the decline in the overall cost, companies in this year’s study are having larger breaches. The average size of the data breaches in this research increased 1.8% to more than 24,000 records.
To explain cost increases or decreases from the previous year, the study asks the participating organizations for information that helps to present the data that is used to calculate the cost and the factors, with the hope that in asking these questions, “organizations will make better decisions about how to allocate resources to minimize the financial consequences when the inevitable data breach strikes.” The following factors were considered by each participating organization:
- The unexpected and unplanned loss of customers following a data breach (churn rate)
- The size of the breach or the number of records lost or stolen
- The time it takes to identify and contain a data breach
- The detection and escalation of the data breach incident
- Post data breach costs, including the cost to notify victims
- An attack by a malicious insider or criminal is costlier than system glitches and negligence (human factor).
The data collected by all participating organizations paints a global picture on the state of data breaches, proving that retaining customers and limiting the number of stolen records after a data breach occurs directly correlates to a reduction in costs.
In conclusion, organizations in Australia, Germany, France and the United Kingdom were able to improve their ability to keep customers and, as a result, reduced the cost of data breach. Organizations in Australia, the United Kingdom and Germany also were able to limit the number of customer records lost or stolen and, as a result, had lower costs. Whereas, countries in the Middle East and the United States experienced a higher percentage of churn and had higher costs. Organizations in Brazil, India, the Middle East and South Africa had data breaches involving more lost or stolen records, which increased their costs.
Findings and Implications for U.S. organizations
Despite an overall global decrease in costs, many regions experienced increased cost of a data breach. In the U.S., the cost of a data breach was $7.35 million, a 5% increase compared to last year, with an average cost for each lost or stolen record containing sensitive and confidential information increasing from $221 (2016) to $225 in 2017 – a new record high. The study shows the average per capita cost of data breaches in the U.S. over the last 12 years the study has taken place.
Additional key findings from the 2017 Cost of a Data Breach Report include:
Certain industries have higher data breach costs. Heavily regulated industries such as healthcare ($380 per capita) and financial services ($336 per capita) had per capita data breach costs well above the overall mean of $225. In contrast, public sector organizations ($110 per capita) had a per capita cost of data breach below the overall mean.
Malicious or criminal attacks continue to be the primary cause of data breach. 52% of incidents involved a malicious or criminal attack, 24% of incidents were caused by negligent employees, and another 24% were caused by system glitches, including both IT and business process failures.
Malicious attacks are the costliest. Organizations that had a data breach due to malicious or criminal attacks had a per capita data breach cost of $244, which is significantly above the mean. In contrast, system glitches or human error as the root cause had per capita costs below the mean ($209 and $200 per capita, respectively). Criminal and malicious attacks also took the longest to contain, at 303 days.
The more records lost, the higher the cost of data breach. This year, for companies with data breaches involving less than 10,000 records, the average total cost of data breach was $4.5 million and companies with the loss or theft of more than 50,000 records had a cost of data breach of $10.3 million.
The more churn, the higher the cost of data breach. Companies that experienced less than 1% churn or the loss of existing customers, had an average total cost of data breach of $5.3 million, while those that experienced churn greater than 4% had an average total cost of data breach of $10.1 million.
Breach Response Costs Trending Upwards
The annual Cost of Data Breach study examines both direct and indirect costs to companies in dealing with a single data breach incident, factoring in costs associated with breach response activities.
In addition to the increases in overall cost per data breach and cost per record, costs associated with efforts in data breach detection, escalation, and notification have all risen as well. Average detection and escalation costs for activities such as forensic investigations, assessments and audit services increased dramatically from $0.73 million in 2016 to $1.07 million in 2017, suggesting that companies are investing more heavily in these activities, while data breach notification costs rose from $0.59 million (2016) to $0.69 million in 2017.
It seems that the underlying message within the study is that time is money, and the faster the time to identify and contain a breach, the lower the cost. For example, within the study, the average cost in identifying a breach in less than 100 days was $5.99 million. However, if it took longer than 100 days to identify, the average cost increased to $8.7 million. Similarly, data breaches contained in less than 30 days cost around $5.87 million, but if containment took longer than 30 days, the cost increased to $8.83 million.
Best Practices to Reduce Cost of Data Breaches
Organizations reported higher costs to respond and to remediate a data breach, with the best investments coming from incident response plans and extensive use of encryption. Having an incident response team in place resulted in a $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record).
The report illustrates the preventive measures organizations implemented after the data breach. The most popular measures and controls implemented after the data breach have been fairly consistent. This year, the number-one activity is training (60%) followed by expanded use of encryption (55%) and endpoint security solutions (49%).
“Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” said Dr. Larry Ponemon. “Year-over-year we see the tremendous cost burden that organizations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization’s overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services.”
Bluefin Payment Systems shares Ponemon’s belief in the importance for organizations to develop a security strategy that includes technologies that will protect from data breaches. Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) solutions prevent clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.