Ponemon Institute releases 2017 Cost of Data Breach around the world
June 22, 2017 |
The cost of data breaches can be catastrophic. The BBC reports that a South Korean web hosting firm, Nayana, has paid $1 million that had been the subject to a ransomware attack. The hackers initially wanted $4.4 million payable in Bitcoin. The orthodox advice is not to pay the ransom. The reality is more mixed.
Ponemon has released another very useful report, this time on the cost of data breaches. It is titled 2017 Cost of Data Breach Study Global Overview.
Some interesting findings include:
- All participating organizations experienced a data breach ranging from approximately 2,600 to
slightly less than 100,000 compromised records - there is an average probability of 27.7 percent that organizations in this study will have a
material data breach in the next 24 months. Last year the chance was 25.6% - more organizations worldwide lost customers as a result of their data breaches. However having a senior-level leader such as a chief privacy officer or chief information security officer able to direct initiatives that improve customers’ trust in how the organization safeguards their personal information will reduce churn and the cost of the breach
- Organizations that offer data breach victims breach identity protection in the aftermath of the breach are also more successful in reducing losses.
- the days to identify the data breach has decreased from an average of approximately 201 in 2016 to 191 days currently and the average days to contain the data breach from 70 to 66 days
- almost half of organizations represented (47 percent) identified the root cause of the data breach as a malicious or criminal attack and the average cost was approximately $156.
- the cost of system glitches and human error or negligence averaged approximately $128 and $126, respectively.
- The average cost of data breach decreased 10 percent and the per capita cost decreased 2.9 percent.
- the average size of a data breach (number of records lost or stolen) increased 1.8 percent. Over the past year, there was no change in the abnormal churn rate, which is defined as the greater than expected loss of customers.
- the average total cost of data breaches reduced in Germany (-.91), France (-.68), Australia (-.48) and the United Kingdom (-.45).
- The average global cost of data breach per lost or stolen record was $141. The cost for health care organizations was $380 while for financial services the average cost was $245.
- there is a relationship between the average total cost of data breach and the size of the incident. The average total cost ranged from $1.9 million for incidents with less than 10,000 compromised records to $6.3 million for incidents with more than 50,000 compromised records. In 2016 the cost ranged from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 records
- an incident response team reduced the cost by as much as $19 per compromised
record. The extensive use of encryption reduced cost by $16 per capita, with an adjusted average cost of $125 ($141-$16) per record
The media release provides:
CAMBRIDGE, Mass. , June 20, 2017 /PRNewswire/ — IBM (NYSE: IBM) Security today announced the results of a global study exploring the implications and effects of data breaches on today’s businesses. Sponsored by IBM Security and conducted by Ponemon Institute, the study found that the average cost of a data breach is $3.62 million globally1, a 10 percent decline from 2016 results. This is the first time since the global study was created that there has been an overall decrease in the cost. According to the study, these data breaches cost companies $141 per lost or stolen record on average.
Analyzing the 11 countries and two regions surveyed in the report, IBM Security identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw 26 percent decrease in the total cost of a data breach over last year’s study. Businesses in Europe operate in a more centralized regulatory environment, while businesses in the United States (U.S.) have unique requirements, with 48 of 50 states having their own data breach laws. Responding to a multitude of regulatory requirements and reporting to potentially millions of consumers can be an extremely costly and resource intensive task.
According to the 2017 Cost of Data Breach Study: Global Overview, “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. A comparison of these factors suggests that regulatory activities in the U.S. could cost businesses more per record when compared to Europe. For example, compliance failures cost U.S. businesses 48 percent more than European companies, while rushing to notify cost U.S. businesses 50 percent more than European companies. Additionally, U.S. companies reported paying over $690,000 on average for notification costs related to a breach – which is more than double the amount of any other country surveyed in the report.
“New regulatory requirements like GDPR in Europe pose a challenge and an opportunity for businesses seeking to better manage their response to data breaches,” said Wendi Whitmore, Global Lead, IBM X-Force Incident Response & Intelligence Services (IRIS). “Quickly identifying what has happened, what the attacker has access to, and how to contain and remove their access is more important than ever. With that in mind, having a comprehensive incident response plan in place is critical, so when an organization experiences an incident, they can respond quickly and effectively.”
The Cost of a Data Breach Not Down Everywhere
In the 2017 global study, the overall cost of a data breach decreased to $3.62 million – down 10 percent from $4 million last year. However, many regions experienced an increased cost of a data breach – for example, the cost of a data breach in the U.S. was $7.35 million, a five percent increase compared to last year. However, the U.S. wasn’t the only country to experience increased costs in 2017.
- Non-European Countries Experienced Increased Costs: Organizations in the Middle East, Japan, South Africa, and India all experienced increased costs in 2017 compared to the four-year average costs.
- European Countries Experienced Most Significant Decrease in Costs: Germany, France, Italy and the U.K. experienced significant decreases compared to the four-year average costs. Australia, Canada and Brazil also experienced decreased costs compared to the four-year average cost of a data breach.
When compared to other regions, U.S. organizations experienced the most expensive data breaches in the 2017 report.
- In the Middle East, organizations saw the second highest average cost of a data breach at $4.94 million – more than 10 percent increase over the previous year
- Canada was the third most expensive country for data breaches, costing organizations an average of $4.31 million.
- In Brazil data breaches were the least expensive overall, costing companies only $1.52 million.
Time Is Money: Containing Data Breaches
For the third year in a row, the study found that having an Incident Response (IR) team in place significantly reduced the cost of a data breach, saving more than $19 per lost or stolen record. The speed at which a breach can be identified and contained is in large part due to the use of an IR team and having a formal Incident Response plan. IR teams can assist organizations to navigate the complicated aspects of containing a data breach to mitigate further losses.
According to the study, how quickly an organization can contain data breach incidents have a direct impact on financial consequences. The cost of a data breach was nearly $1 million lower on average for organizations that were able to contain a data breach in less than thirty days compared to those that took longer than 30 days. Speed of response will be increasingly critical as GDPR is implemented in May 2018, which will require organizations doing business in Europe to report data breaches within 72 hours or risk facing fines of up to four percent of their global annual turnover.
With such significant cost savings in mind, the study revealed there’s room for improvement with organizations when it comes to the time to identify and respond to a breach. On average, organizations took more than six months to identify a breach, and more than 66 additional days to contain a breach once discovered.
Additional Key Findings from 2017 Cost of a Data Breach Report
- By Industry, Healthcare Breaches Most Costly: For the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations $380 per record, more than 2.5 times the global average across industries ($141 per record.)
- Top Factors Increasing Cost of a Breach: The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost $17 per record. Organizations need to evaluate the security posture of their third-party providers – from payroll to cloud providers to CRM – to ensure the security of employee and customer data.
- Top Factors Reducing Cost of a Breach: Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record).
- Positive Impact of Resiliency Orchestration: Business continuity programs are significantly reducing the cost of a data breach. The overall average data breach cost per day is estimated at $5,064 in this year’s study. Companies that have a manually operated Disaster Recovery process experienced an estimated average cost of $6,101 per day. In contrast, companies deploying an automated Disaster Recovery process that provides resiliency orchestration experienced a much lower average cost per day of $4,041. This represents a net difference of 39 percent (or a cost savings of $1,969 per day).
Uncovering the Cost of a Data Breach
The annual Cost of Data Breach study examines both direct and indirect costs to companies in dealing with a single data breach incident. Through in-depth interviews with more than 410 companies in 13 countries or regions, the study factors in costs associated with breach response activities, as well as reputational damage and the cost of lost business.
“Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” said Dr. Larry Ponemon. “Year-over-year we see the tremendous cost burden that organizations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization’s overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services.”
[…] Ponemon Institute releases 2017 Cost of Data Breach around the world […]