Security measures are starting to pay off in lower data breach costs
SMBs, others learn that a swift response can limit damage to data, wallet
By Gary Stoller, ThirdCertainty
Organizations pay a hefty price for a data breach, but the cost, for the first time, has dropped, a 2017 IBM Security study conducted by the Ponemon Institute has found.
The study, which interviewed more than 1,900 individuals at 419 organizations in 11 countries, found the average cost of a data breach is $3.6 million—a 10 percent decrease from IBM Security’s 2016 study.
Incidents with less than 10,000 records compromised cost, on average, $1.9 million, and incidents with more than 50,000 compromised records cost, on average, $6.3 million. Incident costs in the 2016 study were, respectively, $2.1 million and $6.7 million.
Related story: Cyber attacks carry hidden business impacts, costs
“I was pleasantly surprised to see this was the first year in the history of the study that the global cost of a data breach has declined,” says Diana Kelley, IBM Security’s global executive security adviser. The Ponemon Institute has tracked the cost of U.S. data breaches for 12 years and other countries’ breaches for up to 10 years.
This year’s decrease, Kelley says, “may be an indication that the expertise and processes being put in place to optimize security measures are more effective than ever before.”
The new study found that incident response, encryption and education had the most impact—and business continuity programs also helped—in reducing the cost of a data breach.
The faster a data breach can be identified and contained, the lower the costs, the study revealed.
For the 419 companies in the study, the average time to identify a data breach was 191 days, and the average time to contain a breach was 66 days. The average time to identify and contain a breach was highest when a malicious or criminal attack was involved.
“Successfully responding to a breach is all about speed and limiting the window of access and damage to an organization’s IT environment and data,” Kelley says. “The more quickly a security team can identify what has happened, what the attacker has access to, and how to contain and remove their access, the more successful they will be in keeping costs down.”
People, not glitches, cause most problems
Hackers and criminal insiders cause the most data breaches. The study found that 47 percent of all breaches were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $156. In comparison, system glitches were resolved at an average cost of $128 per record, and human error or negligence breaches were fixed for $126 per record.
Companies in the United States and Canada spent the most to resolve a malicious or criminal attack. U.S. organizations spent, on average, $244 per record, and those in Canada spent $201 per record. In comparison, companies in India spent much less— $78 per record.
A single record compromised, of course, would be a manageable expense, but organizations with data breaches usually are faced with hundreds to thousands of compromised records.
“The numbers add up quickly when you consider all the resources and elements impacted by an attack,” Kelley says. “Detection and escalation costs alone can include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and the board of directors.”
The bill “continues to rise,” she says, with the cost of notifying victims, help-desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.
“For some small- or medium-size companies,” Kelley says, “a data breach could cost them their business if not effectively addressed.”
More stories related to data security and costs:
Verizon, Ponemon differ on best way to measure data breach costs
The cost of compromised credentials creeps up
As cyber attack surface expands, consumers and companies face more risk than ever