The recently released 2015 Cost of Data Breach Study: Global Analysis, conducted by the Ponemon Institute, revealed an increase of 23% to the average cost of a data breach for business (now $3.8 million). It also showed an increase of 6% to the average cost per each lost or stolen record holding sensitive data (from $145 per record to $154 per record). These two increases alone, demonstrate what CEOs can expect when it comes to data breach costs; but above all, they are indicators of how information security truly is a part of the business process (if the business wants to stick around).
Additional insights from the Ponemon study that deserve executive attention, particularly CEOs in retail and healthcare, are that retailers are seeing a hike in price per stolen record (from $105 last year to $165 this year) and healthcare organizations hold the highest average cost per stolen record (at $363 per record).
The study goes on to list three reasons why data breach costs are higher:
- The increased frequency of cyber attacks, which means organizations need to invest in resolving the security incidents.
- The loss of business following breach.
- The costs for forensic and investigative activities, assessments and crisis team management.
When it comes to reducing costs, the 2015 Cost of Data Breach Study shows that if the board is involved and businesses purchase insurance their data breach costs are lower. The active role of the board of directors reduces the cost per record by $5.50 and insurance protection reduces costs by $4.40 per record. Furthermore, business continuity management within an organization also reduces data breach costs (by an average of $7.10 per record).
The countries that suffer the most costly breaches are the U.S. and Germany, with the US holding an average of $217 per compromised record. Data breach costs also vary by industry, even though the average cost per record is $154, if you’re a healthcare organization the cost per breached record is as high as $363 and if you’re an educational institution the cost is $300 per record. The lowest cost per lost or stolen record was found in the transportation ($121) and public ($68) sectors.
When the study looked at the causes for breach they found that 47% of them were caused by malicious or criminal attacks. Handling these types of breaches revealed the average cost per record to be $170. Data breaches caused by system glitches cost organizations $142 per record, while negligence and human error cost them $137 per record.
As for notification costs and loss of business the study finds that notification costs have remained low (going from $170,000 last year to $190,000 this year), but losing business due to breach steadily increases and is now an average of $1.57 million (versus $1.23 million in 2013).
The last important point acquired from the recent study is that the time it takes an organization to identify and contain a data breach does affect the cost. The quicker a business can identify and contain a breach, the less financial consequences it suffers. In dealing with malicious attacks the study reveals that it can take an organization an average of 256 days to identify, while human error breaches can take 158 days to identify. As mentioned above, malicious attacks are the most costly type of breach; clearly showing the relationship with the time it takes to identify a breach and the costs a business will face.
The fact that a breach has its financial repercussions has always been the case, but the above study results also shows the status of breach costs, which is that they’re not getting any cheaper. This means business executives who don’t take data security seriously are risking higher and higher financial burden, not to mention the damage they do to their customers and the possibility of losing their business altogether.
How are you working on reducing your data breach costs? What’s your information security plan?