Hidden costs of data breaches difficult to manage, study finds

The hidden costs in data breaches are difficult and expensive to manage, according to the latest Ponemon study on the cost of data breaches, sponsored by IBM Security.

Hidden costs include lost business, negative impact on reputation and employee time spent on recovery, the global study examining the full financial impact of a data breach found.

The study showed that one-third of the cost of “mega breaches” involving more than a million records is mainly as a direct result of lost business.

The 2018 Cost of a data breach study found that the average cost of a data breach globally is £2.9m ($3.86m), a 6.4% increase on the previous year for breaches involving 2,500 to 100,000 records.

Based on in-depth interviews with nearly 500 companies that experienced a data breach, the study analysed hundreds of cost factors relating to a breach, including technical investigations, recovery, notifications, legal and regulatory activities, and the cost of lost business and reputation.

For the first time, the study calculated the costs associated with “mega breaches” ranging from one million to 50 million records lost, projecting that these breaches cost companies between £30m ($40m) and £263.6m ($350m).

“While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS).

“The truth is, there are many hidden expenses that must be taken into account, such as reputational damage, customer turnover and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

The number of mega breaches has nearly doubled in the past five years – from just nine in 2013 to 16  in 2017. Because of the small number of mega breaches in the past, the study historically analysed only data breaches involving 2,500 to 100,000 records.

Based on analysis of 11 companies that experienced a mega breach over the past two years, this year’s report found that the vast majority of these breaches stemmed from malicious and criminal attacks, as opposed to system glitches or human error.

The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller-scale breach, the study found.

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly £89m ($118m) for breaches of 50 million records.

IBM analysed the publicly reported costs of several high-profile mega breaches, and found that the reported numbers are often less than the average cost found in the study. This is likely to be due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers, the report said.

In the UK, the indirect costs of a breach outweighed the direct costs at £58 per lost or stolen record versus £50, respectively.

For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study. The average cost of a data breach was £2.9m ($3.86m) in the 2018 study, compared with £2.6m ($3.5m) in 2014, representing an increase of nearly 10% over the past five years.

The study also examined factors that increase or decrease the cost of a breach, finding that costs are heavily affected by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.  

The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach, once identified, was 69 days. Companies that contained a breach in less than 30 days saved more than £754,000 ($1m) compared with those that took more than 30 days.

The number of lost or stolen records also affects the cost of a breach, costing £112 ($148) per lost or stolen record, on average. The study examined several factors that increase or decrease this cost and found that having an incident response team was the top cost saving factor, reducing the cost by £10.50 ($14) per compromised record. 

The use of an AI (artificial intelligence) platform for cyber security reduced the cost by £6 ($8) per lost or stolen record and companies that indicated a “rush to notify” had a higher cost by £3.77 ($5) per lost or stolen record.

The 2018 report examined, for the first time, the effect of security automation tools that use AI, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. It found that organisations that had extensively deployed automated security technologies saved over £1.1m ($1.5m) on the total cost of a breach, compared with those that had not deployed security automation.

UK figures show that incident response and the extensive use of encryption reduced the cost per compromised record by £12.90 and £11.50, respectively.

The study also compared the cost of data breaches in different industries and regions, finding that data breaches are the costliest in the US at £5.9m ($7.91m), mainly because of lost customers after the breach, and the Middle East, where the average cost of a breach was £4m ($5.31m). The least costly breaches were in Brazil, where the average cost was £937,000 ($1.24m) and India at £1.33m ($1.77m).

The average cost of breaches in the UK involving 2,500 to 100,000 records was calculated at £2.69m, which is below the global average. The per capita cost per stolen or lost record in the UK was calculated at £108, up 9.7% from the previous year.

Other UK data shows that malicious or criminal attacks were the root cause for 50% of data breaches, the mean time to identify the data breach decreased from 168 to 163 days compared with the previous year, and the mean time to contain the data breach fell from 67 to 64 days.

For the eighth year in a row, healthcare organisations had the highest costs associated with data breaches – costing £308 ($408) per lost or stolen record, which is nearly three times higher than the cross-industry average of £112 ($148).

In the UK, financial breaches were the most expensive, costing organisations £163 per lost or stolen record, followed by technology at £151.

“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs.”