In late July, IBM issued its 2019 Cost of a Data Breach Report. The annual report, which IBM has been sponsoring since 2006 and is conducted by the Ponemon Institute, “analyzes data breach costs reported by 507 organizations across 16 geographies and 17 industries.” The link to the report, which is available as a free download with registration, can be found here.
Unsurprisingly, the report reveals that the cost of a data breach continue to rise and, at $8.19 million, the average cost of a data breach in the United States was the highest anywhere in the world when compared to the global average cost of $3.92 million per breach. Last year, the average cost of a data breach in the United States was $7.91 million. Moreover, the cost of a data breach has increased 130% from 2006, when the average cost in the United States was $3.54 million. Some key takeaways from the report:
- Average Cost of Data Breach: $3.92M Globally and $8.19M in the United States.
- Average Size of Data Breach: 25,575 records Globally and the same in the United States.
- Cost Per Lost Record: $150 Globally and $242 in the United States
- Time to Identify and Contain Data Breach: 279 days Globally and 245 days in the United States.
Other key findings summarized in the press release issued by IBM that accompanied the report included the following:
- Malicious Breaches – Most Common, Most Expensive: Over 50% of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.
- "Mega Breaches" Lead to Mega Losses: While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million.
- Practice Makes Perfect: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
- U.S. Breaches Cost Double: The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
In addition, the highest industry average cost of $6.45 million was reported to be in the U.S. Healthcare industry. The costs associated with a data breach include, among other things: incident response, legal compliance, breach notification, credit/fraud monitoring services, forensic mediation/remediation, public relations, legal services for defense and compliance and the churn rate/reputational costs. The report found that a loss in customer trust had devastating consequences for businesses, with the average cost of lost business being $1.42 million or 36% of the total global average cost of a breach. For small and midsize businesses with fewer than 500 employees, the average costs were found to be even greater relative to size, averaging approximately $2.5 million or in excess of $3,000 per employee. Moreover, the costs associated with a data breach were found to have a long tail, stretching multiple years after discovery of the breach.
The report also found a direct correlation between the length of time it took organizations to identify and contain a breach and the corresponding costs of a data breach. Organizations that were able to detect and contain a breach in less than 200 days reduced their costs, on average, by $1.2 million. In a related finding, organizations that had effective incident response plans and extensive testing in place were able to reduce their total costs, on average, by $1.23 million, compared to other organizations that had neither in place.
The implementation of other cybersecurity measures also significantly reduced the average cost of data breaches. For example, the report found that the extensive use of encryption reduced costs by $360,000 and the implementation of security automation technologies (such as automated vulnerability scanning, among other automated security operations) reduced total costs in half. With respect to breaches caused by third-party vendors, the average cost increased by $370,000, serving as an important reminder to organizations to have appropriate contracts, standards, policies, systems and monitoring in place that govern their relationships with their business partners and suppliers.
As with its past reports, the 2019 Cost of Data Breach Report shows that hackers’ appetite for sensitive information that they can monetize shows no sign of abating, requiring organizations to ensure they have robust cybersecurity countermeasures in place to identify, detect, mitigate, remediate and respond to threats and intrusions of their information systems. The report also shows that the implementation of effective cybersecurity measures can significantly reduce the cost of a data breach, providing meaningful guidance that should help inform the steps organizations take to safeguard sensitive customer and employee data.