The cost of a data breach has risen 12% over the past five years and now costs $3.92 million on an average, said study by IBM Security on Tuesday. Assessing the financial impact of data breaches on organisations, the report claimed that the rising expenses were representative of multi-year financial impact of breaches, increased regulation, and the complex process of resolving criminal attacks.
The report also found that companies with less than 500 employees suffered losses of more than $2.5 million on average – a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.
For the first time this year, the report examined the long tail financial impact of a data breach, finding that the effects of data breach are felt for years. While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organisations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.
The study also found that data breaches which originated from a malicious cyber attack were not only the most common cause of a breach, but also the most expensive. Malicious data breaches cost companies, examined in the study, $4.45 million on average – over $1 million more than those originating from accidental causes such as system glitch and human error. These breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (a 21% increase).
That said inadvertent breaches due to human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 and $3.24 million, respectively. These breaches, because of human and machine error, represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on.
One particular area of concern is the mis-configuration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year, according to the IBM X-Force Threat Intelligence Index.
The report found that the average life cycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.
A focus on incident response can help reduce the time it takes companies to respond, and the study found that these measures also had a direct correlation with overall costs. Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost saving factors examined in the study. Companies that had both these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs. $4.74 million).
The study also examined the cost of data breaches in different industries and regions, and found that data breaches in the US were vastly more expensive – costing $8.19 million or more than double the average for worldwide companies in the study. Cost of data breaches in the US increased by 130% over the past 14 years of the study; up from $3.54 million in the 2006 study.
Additionally, organisations in the Middle East reported the highest average number of breached records with nearly 40,000 breached records per incident compared with the global average of around 25,500.
In India, the study found, ₹128 million was the average cost of data breach which represents an increase of 7.29% year-on-year. The root cause for 51% of data breaches was malicious or criminal attacks, system glitch accounted for 27% and human error 22%. The mean time to identify the data breach increased from 188 to 221 days, while the mean time to contain the data breach decreased from 78 to 77 days
Commenting on the findings, Vaidyanathan Iyer, Security Software Leader, IBM India/South Asia said, “India is witnessing a significant change in the nature of cyber-crimes, it is now extremely organized and collaborative. The cost of Data Breach continues to grow and this year witnessed a 7.29% rise from last year. Organizations need to significantly invest in cyber security."
For the ninth year in a row, healthcare organisations in the study had the highest cost associated with data breaches. The average cost of a breach in the healthcare industry was nearly $6.5 million - over 60% higher than the cross-industry average.
Sponsored by IBM Security and conducted by the Ponemon Institute, the annual Cost of a Data Breach Report is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year.