The 14th annual Cost of a Data Breach Reports, the industry’s gold-standard benchmark research on data breaches and cybersecurity, was released last month. Sponsored by IBM Security and independently conducted by the Ponemon Institute, the study explores the implications and effects of data breaches on today’s businesses both globally as well as within the U.S.
For the 2019 edition, Ponemon researchers interviewed over 3,000 people at 507 companies that had experienced a breach to gain insight on:
- How organizations spent money on activities detecting the breach
- The root causes of the breach
- The cost of lost business due to the breach
- The cost to notify individuals of the breach
- The lifecycle of a data breach is longer in 2019 than in previous years
- Malicious attacks were the most common and most expensive root cause of the breaches
- There was a 130% increase in data breaches from 2006 to 2019
- The global average of breached records is 25,575, with the Middle East highest at 38,800
- The cost of the average data breach in healthcare is 65% higher than any other industry
Data Breach Lifecycle
Researchers looked at several components to determine the effectiveness of an organization’s incident response (IR) and containment response. They also reviewed the total cost of the breach and the lifecycle, which is broken down into mean time to identify (MTTI) and mean time to contain (MTTC) metrics.
Researchers found that over time, the cost of a data breach has steadily increased.
- The lifecycle of a data breach in 2019 was 279 days longer than the 2018 lifecycle of 266 days
- Malicious attacks had a 12.5%, 314 day longer lifecycle
- A lifecycle that is longer than 200 days cost $4.56 million vs $3.34 million for a breach that is shorter than 200 days
Discoveries and Consequences for U.S. Organizations
Researchers found that the U.S. has experienced an increase in the cost of data breaches and the cost of compromised records. Over the last 14 years, the average cost of a data breach in the U.S. increased 130% – in 2006, a data breach cost $3.54 million and in 2019, the same type of breach cost $8.19 million. The average cost of a compromised record in 2019 is $150, which is up 1.4% from 2018’s cost of $148.
Additional key findings from the 2019 Report include:
Certain industries have higher data breach costs. Heavily regulated industries such as healthcare ($429 per capita) and financial services ($210 per capita) had data breach record costs well above the overall mean of $150. In contrast, public sector organizations ($78 per capita) had data breach record costs below the overall mean.
Malicious or criminal attacks continue to be the primary cause of a data breach. 51% of incidents involved a malicious or criminal attack, 25% of incidents were caused by negligent employees, and another 24% were caused by system glitches, including both IT and business process failures.
Malicious attacks are the costliest. Organizations that had a data breach due to malicious or criminal attacks had a per capita cost of $166, which is significantly above the mean. In contrast, system glitches or human error as the root cause had per capita costs below the mean ($132 and $133 per capita, respectively).
Impact of Security Automation. The average total cost of a data breach was $2.65 million for organizations that fully deployed security automation. Organizations that did not deploy automation realized a total cost of $5.16 million – for a net total cost difference of $2.51 million, or 95% higher than organizations with fully-deployed automation.
Long Tail Costs
The effects of a data breach remain for years after the data breach occurred. In a sample of 86 companies, two-thirds of the cost of a data breach happened in the first year. In the second year, 22% of the cost occurred, and 11% of the cost took place two years after the breach.
Companies studied in high regulatory environments experienced 53% of the cost of a data breach in the first year, while organizations in a low data protection regulatory environment experienced 81% of costs in the first year.
Best Practices to Reduce the Impact of Data Breaches
Having an incident response (IR) team in place will help an organization’s ability to respond to a data breach and will help them save money. For organizations who have an IR plan in place, the average cost of a breach was $1.23 million less than an organization that didn’t have a team in place or hadn’t been testing.
Bluefin shares Ponemon’s belief that it is crucial to develop a security plan that includes technologies that will protect organizations from data breaches. Bluefin’s data security solutions, including PCI-validated Point-to-Point Encryption (P2PE) and ShieldConex tokenization, protect payment and PII data from compromise. Learn more about our products or contact us.