The Ponemon Institute and IBM recently released its annual Cost Of Data Breach Study: Global Analysis, receiving contributions from over 350 organizations in 16 different industries in 11 countries that were involved in an event where an individual’s name plus a medical or financial record is potentially at risk.
Last Thursday, IBM and the Ponemon Institute hosted a webinar covering the findings from the 2015 report led by David Puzas, Director of Portfolio Marketing, Security Services at IBM and Dr. Larry Ponemon, Chairman and President of the Ponemon Institute.
For those that missed the webinar and presentation, we’ve recapped some of the key takeaways and trends from the 2015 Cost of Data Breach Study: Global Analysis.
Key Definitions And Demographics
Before diving into the vast amount of data gathered in this survey, it’s important to classify the key terms used throughout the study. As you can see above, The Ponemon Institute and IBM surveyed organizations of all sizes, from a variety of industries and nearly a dozen countries. The key takeaway from Slide 4 is that the estimated costs of a data breach cannot be applied to the mega-breaches involving the theft of more than 100,000 records. Due to the sheer volume of records exposed along with a variety of factors that we will cover shortly, quantifying the impact of the mega-breaches that affected Anthem, Home Depot and Premera will take much longer.
What Is The Financial Impact Of A Data Breach?
Thanks to the survey’s unique data set, the Ponemon Institute is able to determine the financial impact of a data breach both domestically and abroad after receiving detailed responses from breached organizations across the globe.
What we can gather from Slide 6 is that both the average cost per compromised record and cost per data breach incident are on the rise. The global average cost for a record compromised in a data breach has risen 12 percent of the last two years, bringing the cost to $154. Out of the 11 countries surveyed, the two countries with the highest average cost per record are the United States and Germany at $217 and $211 respectively. And the two countries with the lowest average cost per record compromised are Brazil and India at $78 and $56 respectively.
Now that we’ve established the average cost per record compromised in a data breach, the next step is to quantify the cost per data breach incident. As shown above, the global average cost of a data breach has increased 23 percent to $3.8 million. The countries with the highest cost per data breach incident were led by the United States and Germany, with an average cost of $6.5 million and $4.9 million respectively. Brazil and India lead the group of 11 countries with the two lowest average cost per incident of $1.8 million and $1.5 million.
Out of the 11 surveyed industries in this year’s study, average per-record data breach costs varied widely across each industry. All but 1 industry surveyed reported an average cost per-record compromised of at least $120.
What we can see from Slide 7 is that industries that are heavily regulated, such as healthcare, education, financial services, and retail have a per capita data breach cost that is significantly higher than the overall mean of $154. While those industries that are less regulated, such as the public sector, transportation or media were all under the overall mean. Now that we have a big picture of the industries let’s dive into a few industries and how they’ve been impacted.
While the majority of the industries experienced little change regarding the cost of a data breach, the retail sector saw the largest increase in average cost. The retail sector experienced a $60 increase from $105 to $165 when compared to 2014. Due to the vast media coverage and consumer concerns regarding retail-related data breaches, retail organizations must allocate more resources to address the consequences of a data breach. During the webinar, Dr. Ponemon made note of two industries whose per capita data breach cost was worth going into detail.
Both the energy and public industries saw an overall decrease in their respective per-record data breach costs, rounding out the bottom five for the lowest per capita cost by industry classification. During the webinar, Dr. Ponemon pointed out that it’s important to be aware of data breaches related to organizations in the energy and public industries. While there may not be a lot of money involved in energy or utility companies, these companies are essential to a country’s infrastructure, making them the target of state-sponsored attacks.
For the surveyed companies in the public industry, there is a much lower opportunity for churn. When a governmental agency suffers a data breach, such as the recent breach affecting the IRS, consumers have fewer options to turn to. If an industry operates in a highly regulated industry, like those in the healthcare and financial services, there is a higher expectation that the sensitive data being collected is stored correctly. After an organization determines that a security incident has taken place, there are various costs associated with a data breach.
Components Of The Cost Of A Data Breach
The four cost categories established by the Ponemon Institute are lost business, post-data breach costs, detection and escalation, and notification. These categories encompass the entire life cycle of a data breach, from the initial steps of detection to the breach notifications that are sent out to affected consumers. We’re going to recap each cost category following the life cycle of a data breach that a compromised organization would encounter.
With the average cost of a data breach for an organization reaching $3.8 million this year, the detection and escalation category accounts for just over a quarter of an organization’s cost of a data breach. This category starts with the first detection of a security incident, prompting a response from the breached organization’s crisis team. After confirming that an incident has occurred, third-party forensic and audit professionals can be brought in to determine the true scope of the breach before notifications are sent out.
Following the detection and escalation of a data breach, affected consumers must be notified within a certain time depending on the state in which the data breach occurred. Many of the listed components in the notification and post-data breach categories are all essential to alert and inform consumers that their personal information was compromised in a security breach. Even after the dust settles following a breach, the biggest impact on a breached organization is the lost business associated with a breach. These associated costs include everything from brand/reputation losses and higher customer turnover rates to diminished goodwill from former business partners.
What Is The Leading Cause For These Data Breaches?
The Ponemon Institute was able to determine that the majority of data breaches impacting organizations around the globe can be attributed to three root causes. In this year’s study, it was determined that malicious or criminal attacks are still the leading cause of a data breach for organizations. Forty-seven percent of the surveyed organizations listed malicious attacks as the primary cause of a data breach, while the remaining fifty-three percent indicated non-malicious events, such as human error or system glitches as the cause.
These malicious attacks are also the most costly to an organization when looking at the average cost per record exposed. Organizations that suffered a data breach due to a malicious attack had a per capita data breach cost of $170, higher than the cost of human error or system glitches of $134 and $142, respectively. More often than not, the malicious attacks carried out by cybercriminals are much more difficult to detect and contain, which results in a higher cost per record exposed.
What Factors Can Help Decrease The Cost Of A Data Breach
So far, we’ve covered everything in the Ponemon Institute 2015 Cost Of Data Breach Study from the data breach landscape to the financial impact of a data breach. We know the dangers and implications of a security incident involving the theft of personal information. Before an organization falls victim to a data breach there are seven components that have shown to reduce the cost of a data breach.
As shown in Slide 14, there are some aspects that are consistently effective in reducing the cost of a data breach. The most impactful of these components is implementing and maintaining an incident response team, reducing the cost of each record exposed by $12.60. By implementing just three of the above security components, an organization will save at least $15.50 per record exposed. Dr. Ponemon also emphasized the importance of encryption, employee training and board level involvement.
By requiring that current and future employees undergo training to stay up to date on the latest security risks, an organization can ensure that everyone from the C-Suite to the everyday employees are aware the risks at hand. The extensive use of data encryption can also include other methods of encryption such as tokenization to hamper a cybercriminals attempts at deciphering the stolen data. Board-level involvement was added to the list this year for the first time, but with other breached retailers parting ways with members of their C-Suite, expect this figure to go up.
The amount of information we covered in this blog post is just a drop in the bucket for the 2015 Ponemon Institute 2015 Cost Of Data Breach Study. Today, businesses are dealing with a variety of security concerns, ranging from data breaches, insider threats and social engineering attempts. Understanding the major factors behind a data breach and the financial consequences that are attributed to it are essential for organizations of any size. We highly recommend downloading a copy of this year’s study which provides both global and country-specific reports, and watching the on-demand recording for additional insight.