Content, Content

IBM Security: Cost of Data Breach Rises to Nearly $4 Million, Up 12% Since 2014

The average cost worldwide of a data breach has risen 12 percent over the past 5 years to $3.92 million, IBM Security discovered in a new study.

Other figures off the top you’ll want to know:

  • Data breaches cost companies around $150 per lost or stolen record.
  • The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
  • Healthcare is the most costly industry at nearly $6.5 million on average, 60% more than other industries.

Three factors prompted the rising costs -- the multiyear financial impact of breaches, increased regulation and the multi-faceted process of resolving criminal attacks. Findings from the Cost of a Data Breach Report, an annual collaboration of IBM Security and researcher Ponemon, come from interviews with 500 companies worldwide victimized by a breach in the past year.

Some top line findings from the report:

  • More than 50 percent of data breaches in the study resulted from malicious cyber attacks and cost companies $1 million more on average than those originating from accidental causes.
  • Breaches of more than 1 million records cost companies a projected $42 million in losses.
  • Breaches of 50 million records are projected to cost companies $388 million.
  • Companies with an incident response team and an incident response plan experienced $1.23 million less in data breach costs on average.
  • Data breaches which originated from a malicious cyber attack were the most common root cause of a breach and the most expensive.
  • The average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach.
  • Companies in the study able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.

"Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses," said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. "With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs," she said.

Small to medium-sized businesses (SMBs) were hit particularly hard by a data breach, the study concluded. Companies with less than 500 employees suffered losses of more than $2.5 million on average. The effects of a data breach often last for a number of years afterwards. Even though an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The long-term impacts were even higher in years two and three for regulated industries such as healthcare, financial services, energy and pharmaceuticals.

Additional findings from the study include:

  • Inadvertent breaches from human error and system glitches caused 49% of the data breaches in the report, costing companies $3.50 and $3.24 million, respectively.
  • Companies deploying security automation technologies experienced about half the cost of a breach ($2.65 million average) compared to those that did not have these technologies..
  • Encryption was also a top cost saving factor, reducing the total cost of a breach by $360,000.
  • Breaches originating from a third party, such as a partner or supplier, cost companies $370,000 more than average.
  • Organizations in the Middle East reported the highest average number of breached records with nearly 40,000 breached records per incident.

Security experts weighed in on the results of the study, particularly on the prevalence of malicious breaches. "The fact that malicious breaches are now the most common and expensive type of IT disaster underscores the urgent need to implement a cyber-first recovery process to combat ransomware, wiper attacks, and other emerging threats. Companies that don’t update their recovery playbooks to address this new reality risk unnecessary downtime and unplanned infrastructure costs," said Mickey Bresman, Semperis chief executive.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.