The average cost of a data breach has risen to US$3.86 million, according to a new report from IBM. The latest version of its annual report shows a 6.6% increase in costs; including direct losses, indirect costs related to time and effort in dealing with a breach, and lost opportunities such as customer churn as result of bad publicity.
“There is an expectation, because of the amount of breaches, that people should be better equipped to handle these now,” says John Wheeler, VP of strategy at IBM Security. “Companies that are caught with weaknesses in their [security] programs, that's reaching a point of being purely unacceptable.”
The size of your average data breach is now 24,615 records; an increase of 2.2% compared to 2017. Each record lost costs around US$148 on average globally, while in the US that figure rises to US$233. The final cost per record can be impacted by a number of factors relating to how well-prepared an organization is and how well it reacts to a breach.
Given the increasingly connected nature of today’s businesses, Wheeler only predicts that figure to increase over time. “The data, the records, the requirements around the management are going to continue. Everybody's moving toward digital transformation which also means that they're trying to take their businesses and figure out how to connect in a more personalized way with their consumers.”
US organizations face the highest costs with an average of US$7.91 million per breach. Globally, just under 23% of organizations are likely to suffer at least one breach over the next 24 months. Companies within Brazil and South Africa are the most likely to suffer at least one breach. The variation in costs is down to a combination of factors, according to Wheeler. “Number one is the cost of regulation. There’s also going to be a factor around the cost of the teams brought in to supplement, as well as the degree of media pick up that is going to occur.”
Given the highly sensitive and regulated nature of the data they manage it should come as little surprise that the health and financial sectors face the largest costs per record; up to US$400 each. Financial services organizations are the most frequent victims, followed by those in the services, manufacturing, and technology industries. The level of regulation plays a big role in what a company will pay to recover from a data breach.
According to the IBM report, it now takes 197 days to identify a breach and 69 days to contain it -- a slight increase on 2017’s 191 and 66 days, respectively. German and South African organizations are quickest at finding and containing breaches – a combined 171 and 190 respectively – while companies in the Middle East (350) and Brazil (340) take the longest.
Entertainment and healthcare organizations take the longest time to discover and contain a breach – averaging more than 300 days – while financial services and energy sectors were quickest at discovery and remediation.
Time is money and being slow to detect and contain a breach can be costly. Taking more than 100 days to discover a breach could add as much as US$1 million to the final bill. Likewise taking longer than 30 days to contain the breach once discovered can also add over US$1 million to costs. Investment in monitoring and forensics capabilities could be valuable in the long run.
A significant outlay organizations are faced with post-breach is notification costs. These include the creation of contact databases, determining regulatory requirement, consultancy fees, postal expenditures, email bounce-backs, and more. India has the lowest notification costs at just US$20,000, while the US has the highest at US$740,000 per breach, largely due to data breach notification regulations.
However, now that the European Union’s regulation is in effect, companies are likely to see “huge increases throughout the world” in the future when it comes to notification costs, according to the report. “The biggest question mark is when the fines are set, what precedents are set,” says Wheeler. “When that first one hits and people realize just how damn big those fine numbers can be, then you're going to see a set a C-suites scrambling. One key thing with GDPR is you have that 72-hour disclosure window. And that time can go by very, very fast. Folks really need to understand the need for preparation.”
Where the loss of thousands of records at a time is becoming a common occurrence, Equifax-level breaches involving millions of records are still relatively rare. According to IBM a "mega-breach" of 1 million records could cost a company US$40 million, while the loss of 50 million records might lose a company US$350 million.
The indirect costs are major contributor to costs when a breach falls into this category, according to Wheeler. “If you're a company who loses fifty million records, first and foremost there's an expectation that you're likely a very large company who certainly has the financial means to be able to put an adequate level of protection in place. Folks will look at that and say that is a catastrophic failure, and clients are going to make an alternative choice of who they do business with as a result.”
Expansive use of encryption, automating security wherever possible, and having an incident response team can all reduce the potential cost of a breach, as can employee training and cyber insurance. But being properly prepared throughout the business and knowing what to do in the event of a breach is the biggest cost saver.
“You need to have an incident response plan in place, that plan has to be tested and practiced across the whole range of the C-Suite,” says Wheeler. “And it's got to be more than just having it on paper, you've got to actually simulate as close as you can to what the real world's going to be like.”
This prep includes understanding what roles everyone the company has in the wake of a breach, knowing which external parties you need to contact and bring in, having your external communication strategy prepared.
Conversely, third-party involvement, extensive cloud migration or use of IoT devices at the time of breach can add to the potential cost impact, as can loss of devices such as laptops or phones. In the same way being better prepared reduces costs, being caught short only increases them. “If the organization dealing with the breach does not have a formalized incident response plan, then their costs will be significantly higher, because in the wake of that disaster or major critical business event they're trying to figure it out for the first time.”
Wheeler says that companies that take security and the threat of breaches seriously are more likely to keep costs down due to the fact they will be ready to act quickly in the wake of any incident. “Data security and data protection really have to be treated as a C-suite commitment, not solely put into the responsibility of the CSO. The C-suite needs to understand the risks; we must protect this data, this would be a catastrophic event to our business, and this is our commitment to protect the information we have about our consumers.”
This includes having legal teams that understand the legal ramifications of a breach, communication teams preparing the messaging, and the company leaders being ready to take responsibility. “In the event of a large-scale breach, you're probably not going to get away with putting a CSO who has not been the public face of your company in front of the cameras by themselves. Your investors and your customers will be demanding the highest profile person or persons in the company communicating what happened, what's being done, and what assurances can they give?”