There are 6.03 million reasons for organizations to protect their databases from cyber-attacks. The 2016 Cost of Data Breach Study (the “Study”), produced by IBM and the Ponemon Institute, serves as a sharp reminder for organizations to continue to bolster their data security initiatives. According to the Study, the average cost of a data breach is up 12.5% over the past year, from $5.32 million to $6.03 million. Adding to the concern, there is a 26% chance of a material data breach involving at least 10,000 lost or stolen records occurring within the next 2 years.
The Study examined the costs sustained by 24 Canadian companies from 11 different sectors over a 12-month period. Organizations that suffered a catastrophic number of breached records (more than 100,000 lost or stolen records) were omitted from the Study in an effort to provide representative results. This means, for example, that the massive data breach suffered by Ashley Madison was not accounted for in this study.
Some key findings:
- The average number of breached records among the participating companies was 21,200, at an average cost of $278 per lost or stolen record.
- Malicious and criminal activity is the leading cause of data breaches – accounting for 54% of all breaches. Such activity takes the most time to detect and contain: an average of 239 days, a sharp contrast to the 170 days for breaches caused by human error. Unsurprisingly, the Study confirmed that the longer it takes an organization to identify and contain a breach, the more costly the breach becomes.
- Data breaches caused by extensive migration to the cloud, third party errors, or lost or stolen devices lead to well above average costs of $300.05 per lost or stolen record. These costs include both indirect expenses – which include the amount of time, effort and other organizational resources spent on resolving the breach – and direct expenses.
- One of the most significant financial impacts for organizations that have suffered a data breach is the loss of business suffered by breached organizations. This category includes abnormal customer turnover, increased customer acquisition activities, reputation losses, and diminished goodwill. Loss of business alone makes up more than 37% of the total cost incurred as a result of a breach. On average, a data breach costs an organization $2.24 million in lost business.
However, not all is doom and gloom. The Study identified certain factors that reduced the cost of a data breach. Organizations that had incident response teams and plans, employee training programs, board-level involvement and participation in threat sharing, and used extensive encryption decreased costs by as much as $25 per lost or stolen record, reducing the average cost per lost or stolen record to $253. While organizations have always been well aware of the qualitative reasons to prevent data breaches, the Study helps quantify the importance for organizations to invest in preemptive measures that reduce vulnerability and mitigate costs if breaches occur.