IBM Security and Ponemon Institute released their 2018 Cost of Data Breach Study: Global Overview. 2,200 IT, data protection, and compliance professionals from 477 companies were interviewed that have experienced a data breach over the past 12 months. According to the findings, data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year.
The average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages:
- The average total cost rose from $3.62 to $3.86 million2 , an increase of 6.4 percent
- The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent
- The average size of the data breaches in this research increased by 2.2 percent
The findings paint a grim portrait of what the clean up is like for companies whose data becomes exposed—particularly for larger corporations that suffer so-called “mega breaches,” a costly exposure involving potentially tens of millions of private records.
Of the 11 mega breaches examined by IBM, 10 were a result of criminal attacks.
The average amount of time that passes before a major company notices a data breach is pretty atrocious. According to IBM, mega breaches typically go unnoticed for roughly a year.
Loss of business remains one of the largest expenses in the wake of a high-profile breach. Companies that have suffered breaches involving 50 million stolen records or more can expect to lose up to $118 million in business—a third of the cost associated with the incident.
Other key findings of the study include:
- The average time to identify a data breach is 197 days, and the average time to contain a data breach once identified is 69 days.
- Companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).
- Each lost or stolen record costs roughly $148 on average, but having an incident response team (surprising, not every company does) can reduce the cost per record by as much as $14.
- The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record.
- Companies that indicated a “rush to notify” had a higher cost by $5 per lost or stolen record.
- U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by firms the Middle East at $5.31 million.
- Lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.
In the United States, costs associated with loss of business after a data breach are actually higher than the total cost of dealing with a data breach globally, and “more than double the amount of ‘lost business costs’ compared to any other region surveyed.”
There are many hidden costs associated with data breaches, said Wendi Whitmore, global lead at IBM X-Force, the company’s renowned security research division, including damage of reputation, customer turnover, and operational costs.
“Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” Whitmore said.
You can download the full 2018 Cost of a Data Breach Study, here.