Security measures are starting to pay off in lower data breach costs

SMBs, others learn that a swift response can limit damage to data, wallet

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Orga­ni­za­tions pay a hefty price for a data breach, but the cost, for the first time, has dropped, a 2017 IBM Secu­ri­ty study con­duct­ed by the Ponemon Insti­tute has found.

The study, which inter­viewed more than 1,900 indi­vid­u­als at 419 orga­ni­za­tions in 11 coun­tries, found the aver­age cost of a data breach is $3.6 million—a 10 per­cent decrease from IBM Security’s 2016 study.

Inci­dents with less than 10,000 records com­pro­mised cost, on aver­age, $1.9 mil­lion, and inci­dents with more than 50,000 com­pro­mised records cost, on aver­age, $6.3 mil­lion. Inci­dent costs in the 2016 study were, respec­tive­ly, $2.1 mil­lion and $6.7 million.

Relat­ed sto­ry: Cyber attacks car­ry hid­den busi­ness impacts, costs

I was pleas­ant­ly sur­prised to see this was the first year in the his­to­ry of the study that the glob­al cost of a data breach has declined,” says Diana Kel­ley, IBM Security’s glob­al exec­u­tive secu­ri­ty advis­er. The Ponemon Insti­tute has tracked the cost of U.S. data breach­es for 12 years and oth­er coun­tries’ breach­es for up to 10 years.

This year’s decrease, Kel­ley says, “may be an indi­ca­tion that the exper­tise and process­es being put in place to opti­mize secu­ri­ty mea­sures are more effec­tive than ever before.”

What’s work­ing

The new study found that inci­dent response, encryp­tion and edu­ca­tion had the most impact—and busi­ness con­ti­nu­ity pro­grams also helped—in reduc­ing the cost of a data breach.

The faster a data breach can be iden­ti­fied and con­tained, the low­er the costs, the study revealed.

For the 419 com­pa­nies in the study, the aver­age time to iden­ti­fy a data breach was 191 days, and the aver­age time to con­tain a breach was 66 days. The aver­age time to iden­ti­fy and con­tain a breach was high­est when a mali­cious or crim­i­nal attack was involved.

Diana Kel­ley, IBM Security’s glob­al exec­u­tive secu­ri­ty adviser

Suc­cess­ful­ly respond­ing to a breach is all about speed and lim­it­ing the win­dow of access and dam­age to an organization’s IT envi­ron­ment and data,” Kel­ley says. “The more quick­ly a secu­ri­ty team can iden­ti­fy what has hap­pened, what the attack­er has access to, and how to con­tain and remove their access, the more suc­cess­ful they will be in keep­ing costs down.”

Peo­ple, not glitch­es, cause most problems

Hack­ers and crim­i­nal insid­ers cause the most data breach­es. The study found that 47 per­cent of all breach­es were caused by mali­cious or crim­i­nal attacks. The aver­age cost per record to resolve such an attack was $156. In com­par­i­son, sys­tem glitch­es were resolved at an aver­age cost of $128 per record, and human error or neg­li­gence breach­es were fixed for $126 per record.

Com­pa­nies in the Unit­ed States and Cana­da spent the most to resolve a mali­cious or crim­i­nal attack. U.S. orga­ni­za­tions spent, on aver­age, $244 per record, and those in Cana­da spent $201 per record. In com­par­i­son, com­pa­nies in India spent much less— $78 per record.

A sin­gle record com­pro­mised, of course, would be a man­age­able expense, but orga­ni­za­tions with data breach­es usu­al­ly are faced with hun­dreds to thou­sands of com­pro­mised records.

The num­bers add up quick­ly when you con­sid­er all the resources and ele­ments impact­ed by an attack,” Kel­ley says. “Detec­tion and esca­la­tion costs alone can include foren­sic and inves­tiga­tive activ­i­ties, assess­ment and audit ser­vices, cri­sis team man­age­ment and com­mu­ni­ca­tions to exec­u­tive man­age­ment and the board of directors.”

The bill “con­tin­ues to rise,” she says, with the cost of noti­fy­ing vic­tims, help-desk activ­i­ties, inbound com­mu­ni­ca­tions, spe­cial inves­tiga­tive activ­i­ties, reme­di­a­tion, legal expen­di­tures, prod­uct dis­counts, iden­ti­ty pro­tec­tion ser­vices and reg­u­la­to­ry interventions.

For some small- or medi­um-size com­pa­nies,” Kel­ley says, “a data breach could cost them their busi­ness if not effec­tive­ly addressed.”

More sto­ries relat­ed to data secu­ri­ty and costs:
Ver­i­zon, Ponemon dif­fer on best way to mea­sure data breach costs
The cost of com­pro­mised cre­den­tials creeps up
As cyber attack sur­face expands, con­sumers and com­pa­nies face more risk than ever