IBM in conjunction with US independent data protection and security organisation The Ponemon Institute have published that the per-record cost of a data breach reached $154 in 2015, up 12% from $145 in 2014. Aggregated, this amounted to an average total cost of a single data breach of $3.79 million. The survey reviewed 350 companies across 11 countries, each of which had suffered a breach.
Prior to this, technology and communications giant Verizon had estimated the per record cost to be a scant 54 cents. However Ponemon Institute Chairman Larry Ponemon noted this was based on a small sample of 191 reports from cyber insurance claims and represented only around 10% of the insurance coverage for the cost of the breach and ignored the indirect costs or loss of resulting business.
Target’s latest breach was estimated to cost the company over $1 billion, but it was only insured for $100 million. Ponemon added: “Companies generally buy enough insurance to cover 50% of the value of their fixed assets, but only 12% of the value of their digital assets”.
Loss of business is a growing part of the total cost of a data breach, with an increased trend of customer churn, with reputation and goodwill adding up to $1.57 million per company cost (up from $1.33 million the previous year).
VP at IBM Security, Caleb Barlow commented: “At a minimum, a company with a data breach has to send out letters notifying customers that they were breached pay for credit monitoring”.
Data breach costs reportedly varied substantially in different industries and geographies, with healthcare having the highest costs due to its long shelf life, at an average of $363 per record and the US with the highest per-record cost at $217, followed by Germany at $211, with India the lowest at $56 per record.
Healthcare records are especially valuable due to the volume of personal information, Social Security numbers and insurance details which can be used to create credit records or for identify fraud in 10-15 years.
Cyber breach cost reductions:
• Companies with incident response teams reduced the costs per record by $12.60 because of their ability to swiftly respond
• Using encryption reduced costs by $12.
• Employee training reduced costs by $8.
• If business continuity management personnel were part of the incident response team, costs fell by $7.10.
• CISO leadership lowered costs by $5.60
• Board involvement lowered costs by $5.50
• Cyber insurance lowered costs by $4.40.
Having an assured and well prepared management response has a definite impact on the bottom line cost of any cyber security breach. As Caleb Barlow darkly warned: “You don’t have days to respond. You don’t even have hours. You have minutes to get your act together.”
Cyber breach cost increases:
• Bringing in outside consultants added $4.50 per record.
• Lost or stolen devices added $9 per record on average.
• Third party involvement as the cause of a breach increased the average per-record breach cost by $16 (from $154 to $170).
Factoring in time to respond to end cost proved significant too:
• Respondents took 256 days on average to spot a breach caused by a malicious attacker – and 82 days to contain it.
• Breaches caused by system glitches took 173 days to spot – and 60 days to contain.
• Human error breaches took an average of 158 days to notice – and 57 days to contain.
With cyber security a major thorn in the side of business and an increasingly sophisticated route to damaging trust and reputation, no organisation of any size can afford a) not to have reviewed the security of its estate and b) taken steps to develop relevant and up to date policies and measures to safeguard its digital assets – and share this regularly with the Board.
Additionally and crucially, as our Head of Technology & Governance, JP Norman reminds us, “The reputational and financial losses quoted are without the EU Data Directive changes on the way which will enable fines of up to 5% of global turnover. CIO’s need to ensure their boards are aware of the potential financial risks that are likely to be in place by late 2016”.