Data Breach Costs Are on the Rise

The average cost of a data breach rose 6.4% year-over-year to about $3.9 million in 2018, according to research sponsored by IBM Security and conducted by the Ponemon Institute. The average cost for each lost record rose to $148 from $141, an increase of 4.8% from 2017, while the average size of data breaches increased 2.2%.

The research examined the likelihood that an organization will have one or more data breaches in the next two years. This was done using two factors: the size of the data breach and where the organization is located. Of the 477 companies surveyed around the world, 35 retail companies took part in the research, making up 7% of the companies surveyed.

The average global probability of a material breach in the next 24 months was 27.9%, an increase over 27.7% last year. South Africa was most likely to experience a data breach, at 43%, while Germany was least likely to, at 14.3%.

The U.S., Canada and Germany continue to have the highest costs per lost or stolen record at $233, $202 and $188, respectively. In 2018, companies in the U.S. had the highest total average cost for data breaches at $7.9 million.

Turkey, India and Brazil have much lower costs per record at $105, $68 and $67, respectively, while companies in Brazil had the lowest total average cost, at $1.24 million.

The global average of breached records was 24,615 in 2018. Companies in the Middle East had the largest average number of breached records, at 36,451, followed by India, at 34,110, and the U.S., at 31,465. Japan, Australia and South Africa saw the smallest number of breached records, at 19,200, 19,442 and 21,090, respectively.

Retail had a cost of $116 per breached record, which was on the lower end.

Malicious or criminal attacks cause the most data breaches, at 48%, while human error accounts for 27% and system glitches for 25%. In addition, malicious or criminal attacks are the costliest, at an average cost of $157 per record, while breaches caused by system glitches were $131 and breaches as a result of human factors were $128.

In the U.S., a malicious or criminal data breach cost $258 per compromised record.

An incident response (IR) team reduced the cost by as much as $14 per compromised record to $134 per record. Similarly, the extensive use of encryption reduced the cost by $13 per record, with an adjusted cost of $135. But if a third party caused the breach, the cost increased by more than $13 per record,  and companies undergoing a major cloud migration saw the cost go up by $12.

Two new factors are included in this year’s cost analysis – deployment of an artificial intelligence platform (AI) as part of a security automation solution and the extensive use of Internet of Things (IoT) devices. The deployment of an AI platform reduced cost by $8 per record, while the extensive use of IoT devices increased cost by $5 per record.

In the 2018 study, the cost ranged from $2.1 million for incidents with less than 10,000 compromised records to $5.7 million for breaches of more than 50,000 records. Each year, the findings show a consistent relationship between cost and size of the data breach.

The more customers lost afterward, the higher the average total cost of a data breach. The average total cost of a data breach for four abnormal churn rates ranges from less than 1% to more than 4%. Firms with less than a 1% customer loss had an average total cost of $2.7 million, while the average cost for firms with a churn rate over 4% was $4.9 million.

For the 477 international firms that took part in the study, the global average churn rate was 3.4%, up slightly from the 3.2% average customer loss in 2017. The researchers noted that companies in countries with high churn rates can significantly reduce the costs of a data breach by emphasizing customer retention activities to preserve reputation and brand value.

In addition, certain industries were more vulnerable to customer loss. Retail averaged 2.1% customer loss as a result of data breaches.

Data breach notification costs were highest in the U.S., at $740,000, due to data breach notification regulations (GDPR). Next was the Middle East, which had notification costs of $300,000, and Germany, which averaged $270,000 in notification costs. In the future, GDPR is expected to lead to substantial increases in notification costs around the world.

U.S. firms pay the highest cost for lost business. In 2018, the U.S. had $4.2 million in lost business, which researchers note is due to consumers having more options, making their loyalty harder to preserve. In addition, current notification laws make consumers more aware of data breaches,

The U.S. had the highest indirect costs, at $152 per record, followed by Canada, at $116, which are related to the allocation of resources, such as employees’ time and effort to notify victims and investigate the breach.

In 2018, the mean time to identify (MTTI) a data breach was 197 days, while the mean time to contain (MTTC) a data breach was 69 days. This was an increase over last year’s MTTI of 191 days and MTTC of 66 days. The stealth of recent attacks increases the time it takes to identify and contain these types of data breaches, researchers noted.

In the U.S., the MTTI is 201 and the MTTC is 52. In 2018, the retail sector took an average of 208 days to identify and 69 days to contain.

It takes an average of 221 days to identify malicious and criminal attacks, and 81 days to contain them. Data breaches caused by human error take just 174 and 57 days, respectively. Once a data breach takes more than 100 days to identify, the estimated cost rises by $1.1 million to a total of $4.2 million. Tools that heighten detective or forensic capabilities can significantly reduce data breach cost, researchers noted.

Mega breaches, which range from 1 million to 50 million lost records, cost companies between $40 million and $350 million, respectively.

For the full story, go to this week’s Food Institute Report.