What is the cost of data breach?
According to the results of the Ponomon Institute there is really no avoiding the costs of a cyber breach. So what are the real costs of not taking the appropriate measures to protect data?
Well the good news is that according to the 2017 study, the cost of data breach continues to decline. According to this year’s benchmark findings, data breaches cost companies an average of $139 per compromised record, of which $79 pertains to indirect costs, including abnormal turnover or churn of customers, and $60 are direct costs incurred to resolve the data breach. Last year’s per capita cost was $142.
The average total organisational cost of data breach declines. This year, the average total cost to organisations decreased from $2.64 million in 2016 to $2.51 million. The most costly data breach since the inception of this research occurred in 2015 and was $2.82 million.
Smaller breaches and the ability to retain customers influence the decline in cost. The per capita cost decreased by 2.1 percent and the average total cost decreased by 5.0 percent. Reasons for the decline were organisations’ ability to retain customers following a data breach and reduce the number of lost or stolen records. Specifically, abnormal churn (the greater-than- expected loss of customers) decreased by 5.3 percent, and the average size of data breach (number of records lost or stolen) decreased by 5.8 percent.
Certain industries have higher data breach costs. Financial services, services and technology companies tend to have a per capita cost higher than the mean ($139), whereas companies in the public sector, transportation and retail had a per capita cost significantly below the mean.
Root cause and costs
Malicious or criminal attacks are the primary root causes of a data breach. Forty-eight percent of companies represented in this study experienced a malicious or criminal attack. Twenty-eight percent of incidents involved a negligent employee or contractor, and another 24 percent was due to system glitches.
Malicious or criminal attacks are the costliest. Not only are malicious attacks the most prevalent, but they are also more expensive to remediate. Companies that experienced malicious or criminal attacks had the highest per capita cost ($154). System glitches had an average per capita cost at $130 and employee or contractor negligence resulted in a per capita cost of $121.
Four new factors are added to this year’s cost analysis. The following factors that influence data breach costs were added to this year’s research: (1) compliance failures, (2) extensive use of mobile platforms, (3) CPO appointment and (4) the use of security analytics. The appointment of a CPO and the use of security analytics decreased the cost of data breach by $1 and $7.6, respectively. However, data breaches that were caused by compliance failures and the extensive use of mobile platforms, increased the per capita cost by $8.7 and $10 per compromised record, respectively.
The more records lost, the higher the cost of data breach. In this year’s study, the average cost ranged from $0.89 million for data breaches involving less than 10,000 records to $6.65 million for those incidents with more than 50,000 compromised records.
The more churn, the higher the per capita cost of data breach. Those companies that experienced an abnormal churn rate, or the unexpected loss of customers following the breach, of less than 1 percent had a much lower average cost of data
Post data breach costs decrease. Ex-post (after-the-fact) activities typically include help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services and regulatory interventions. The average ex poste response cost decreased from $0.64 million in 2016 to $0.61 million in 2017.
Lost business costs decrease. Lost business costs typically include the turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. These costs decreased from $0.84 million in 2016 to $0.79 million in 2017.
Both direct and indirect costs decrease. The indirect cost of data breach includes costs related to the amount of time, effort and other organisational resources spent to resolve the breach. However, direct costs are actual expenses incurred to accomplish a given activity, such as purchasing a technology or hiring a consultant. The indirect cost per compromised record decreased from $80 to $79. The direct per capita cost of data breach decreased from $62 in 2016 to $60 in 2017.
The time to identify and contain data breaches impacts costs significantly. In the 2017 Ponemon Institute study, it took companies an average of 175 days to detect that an incident occurred and an average of 67 days to contain the incident. If the mean time to identify (MTTI) was less than 100 days, the average cost to identify was $1.96 million. However, if the time to identify was greater than 100 days, the cost rose significantly to $3.05 million. If the mean time to contain (MTTC) the breach was less than 30 days, the average cost was $2.24 million. If it took 30 days or longer, the cost significantly increased to $2.78 million.
With the rate of cyber security breaches increasing, can you or your organisation afford to drop cyber security on your priority list?
Cryptoloc Technology is a global encryption company working with organisations to secure their sensitive data. An encryption solution across all industry sectors, Cryptoloc Technology uses a patented methodology to secure data at rest, and in motion.