The Cost of a Data Breach

We recently wrote about why companies don’t patch their systems. While the reasons may be legitimate, the decision carries significant risk. The cost of a data breach due to a cyber attack is multifaceted; there is an impact on business operations, employee productivity, customer retention, lost prospects, system availability, and stock price among other factors.

How much will a data breach will cost?

There isn’t a definitive answer. It varies based on company size, location, industry, and the amount of data compromised. To this end, recent reports from IBM, Comparitech, and Cisco shed light on the current state of cyber security and the cost associated with data breaches. While the numbers below are significant, the costs can be far higher than the data here shows.

For example, the Yahoo breach cost the company $350 million, while the Target breach cost the company $202 million, plus an additional $18.5 million in claims. And just this month, the UK, which has been aggressive on holding companies responsible for poor security practices, has warned that fines could reach $22 million if companies fail to protect themselves adequately.

According to Ponemon Institute’s study for IBM, the overall average organizational cost of a data breach is $3.62 million globally. However, the US has the highest average cost at $7.35 million, which is more than twice as high as the number two country on the list. On a per record compromised basis, the average global cost is $141 per record. Though again, the US has the highest average cost at $225 per record.

On a bright note, both of these global averages are down from last year (10% and 11% respectively), while the US numbers are up in both instances. One area where the US has improved year over year is the number of exposed or compromised records. The global average number is 24,089, while the US number is 28,512, coming in third on the list and only slightly above average.

There are a variety of factors that impact the cost of a breach. As you might assume, the larger the data breach, the higher the cost to the company. Also driving up the cost, the length of time it takes to identify and then contain the breach. The average time to identify a breach globally is 191 days (six months) and another 66 days (2 months) to contain it.

The type of breach also plays an important role in the cost. On average globally, a malicious or criminal attack represents 47% of breaches and costs $156 per record. In the US however, malicious or criminal attacks represent 52% of breaches and cost $244 per record. It is also important to note that these attacks take longer to identify, 214 days, and to contain, 77 days.

The other primary causes, including system glitch and human error, represent 25% and 28% of breaches and cost $128 and $126 per record, respectively. These breaches are identified and contained faster. Malicious or criminal attacks are more common and more expensive for the company.

Customer retention and lost business costs are also significant factors to consider. The cost to companies after a breach who experience up to a 2% churn rate is $2.5 million, while experiencing a churn rate of 4% or more costs companies $5.1 million. The Financial, Health, and Services Industries are especially at risk here, as they experience the highest churn rate from a data breach, all averaging greater than five percent.

The United States outranks every other country in the study when it comes to lost business costs due to a data breach. Factoring in customer retention, lost prospects, and reputation and goodwill losses, US businesses average $4.13 million in cost. The next highest country is at $2.02 million, with every other country realizing costs of less than $1.6 million.

A final factor to consider for public companies when calculating the cost of potential data breach is how Wall Street will respond. The immediate response is a loss of .43% of stock price, which is consistent with daily volatility. While not an alarming drop, the long term trend on stock price is more impactful. The study shows that companies experienced a 45% increase in share price over the three years prior to their breach, and just a 14% increase over the three years after the breach. NASDAQ listed companies tend to return to the index’s performance level just over a month after their breach, but over the next three years, underperform it by more than 40%.

If you think that all of this is interesting, but there’s no way this can happen to you, you might want to think again. The probability of a data breach involving more than 10,000 records over the next two years has increased in nine of the 13 countries surveyed. The global average is now at 27.7%, with the US average at 26.8%. More than a quarter of companies are going to experience a significant breach.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.