Data Breach Cost Update: U.S. Companies Rise to the Top

Posted by Anna Kragie on Jul 20, 2018 7:15:00 AM

The latest data breach report signals both good and bad news as it relates to the costs of breaches since 2017.

The bad news? Research from the Ponemon Institute and IBM Security shows losses related to data breaches have increased 6.4 percent in the past year. The good news? For those companies that were able to contain the breach within 30 days, their losses have been less significant.

The study, which reviewed the impact of data breaches on a global scale, specifically noted that U.S. companies saw the highest average data breach cost at $7.91 million. Compared to the global average of $3.86 billion, this figure is more than double in the U.S. For companies that were able to identify a breach and implement a remedy within a month or less, savings were roughly $1 million when compared with those who did not.

The study examined the impact data breaches have on a company’s bottom line, and concluded that the direct correlation between breach incidents and business boiled down to reputation impact and wasted internal resources spent on recovery. The study also indicated that a third of those labeled “mega breaches” (more than 1 million breached records) had a connection with lost business. Data also indicated that companies relying on machine learning/AI and proactive cyber security response efforts saw better cost reductions in their breach combating efforts.

“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” IBM X-Force Incident Response and Intelligence Services (IRIS) Global Leader Wendi Whitmore said in a press release. “The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

In terms of those “mega breaches” the costs associated with those breaches fell somewhere between $40 million and $350 million, depending on the scope of how many records were stolen. The number of breaches that were in that category has also nearly doubled in a five-year period from nine breaches in 2013 to 16 in 2017.

"While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” said  Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

Other key findings from the report include:

  • The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record. For a mega breach, that’s savings of at least $8 million.
  • At 50 million records, the estimated total cost of a breach is $350 million dollars
  • Most of the breaches were a result of malicious and criminal attacks (as opposed to system glitches or human error)
  • The average time to detect and contain a “mega breach” was 365 days – almost 100 days longer than a smaller scale breach (266 days).
  • The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days.
  • Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total)
  • The top cost-saving factor was attributed to having a data breach response team — which was estimated to reduce costs by $14 per compromised record. (AKA: At least $14 million in savings per mega breach).
  • Companies that indicated a "rush to notify" had a higher cost by $5 per lost or stolen record
  • U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by the Middle East at $5.31 million.
  • The lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.