IBM looks at the "hidden" costs of data breaches

A new global study by IBM Security has found that not only do data breaches cause more financial damage than businesses would like to admit, they are also generally difficult and expensive to manage.

The “2018 Cost of a Data Breach Study” was conducted by Ponemon Institute for IBM. Nearly 500 companies that experienced a data breach participated in the study, which analyses cost factors surrounding a breach such as investigations, recovery costs, notifications to the affected, as well as cost of lost business and reputation.

The study found that the average cost of a data breach globally is US$3.86 million; this represents a 6.4% increase from last year’s report. Another major finding of the study was that the cost of lost business makes up a third of the total cost of “mega breaches” (breach events where over a million records were lost) around the world – this means that for breaches of 50 million records, companies can lose about US$118 million.

IBM projected that these mega breaches, which can range from one million records lost to 50 million, can cost companies from US$40 million to as much as US$350 million.

Other notable findings of the report include:

• 10 out of 11 data breaches stemmed from malicious and criminal attacks (as opposed to system glitches or human error).
• The average time to detect and contain a mega breach was 365 days – nearly 100 days longer than a smaller scale breach (266 days).
• The average time to identify a breach was 197 days; the average time to contain a breach once identified was 69 days.
• Even the cost of smaller-scale breaches has been steadily increasing; the average cost of a data breach of less than 100,000 records was US$3.86 million in 2018 – nearly 10% more compared to US$3.50 million in 2014.
• Companies that managed to contain a breach in less than 30 days saved more than US$1 million compared to those that took more than 30 days (US$3.09 million vs. US$4.25 million average total).
• Breaches cost companies US$148 per lost or stolen record on average.
• US companies saw the highest average cost of data breaches in different groups and regions; data breaches are also the costliest in the US and the Middle East.
• Data breaches are the least costly in Brazil and India.

“While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” commented IBM X-Force Incident Response and Intelligence Services (IRIS) global lead Wendi Whitmore in a release. “The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

Related stories:
ACORD, Aon and Beazley launch Data Breach Standard
Gallagher urges businesses to get cyber covered