Last year we wrote about the results of the latest IBM and the Poneman Institute (independent researcher on privacy, data protection and information security policy) cost of a data breach study. The two organizations have been tracking the global cost of data breaches within the U.S. as well as a dozen other countries including the U.K., Germany, Australia, France, Italy, and The Middle East for the past 12 years. The study captured data from 17 industries including healthcare, finance, technology, and retail - all particularly relevant sectors for Automox customers.
We wanted to revisit the study with a focus on a couple of statistics from the U.S. results, since many Automox customers are from North American (with a growing contingency of overseas clients). You can read the entire research study here.
The average cost of a data breach is $7.35 million, which is a 5% increase over the prior year. The number of records compromised this year ranged from 5,563 to 99,500 records, with the average being 28,512 records breached. Overall, the U.S. had the highest per capita cost of data breach ($225 in 2017) compared to all other countries in the study (see below).
The study defines a data breach as "an event in which an individual's name and a medical record and/or a financial record of debit card is potentially put at risk - either in electronic or paper format". The study identified three main causes of a data breach: malicious or criminal attack, system glitch, or human error. They defined a record as "information that identifies the natural person (individual) whose information has been lost or stolen in a data breach". A record could be a retail brand's database of customers and credit cards, social security numbers from a mortgage firm, or patient/physician info from a healthcare provider.
The calculation for the cost of a data breach took into consideration a range of process-related activities that drive expenditures within an organization's detection, response, containment and remediation efforts. The four cost centers are as follows:
1. Detection or discovery: Activities that enable a company to reasonably detect the breach of personal data either at risk (in storage) or in motion.
2. Escalation: Activities necessary to report the breach of protected information to appropriate personnel within a specified time period.
3. Notification: Activities that enable the company to notify data subjects with a letter, outbound telephone call, email or general notice that personal information was lost or stolen.
4. Post data breach: Communication with victims of a breach to help them minimize potential harms and other assistance such as credit card report monitoring or reestablishing a new account or credit card.
The factors with the most influence the cost of a data breach include the size of the breach, how many records were compromised or stolen, the speed at which the breach was contained, the scope of victims to be notified, and whether the attack originated from criminal intentions or from system glitches and human negligence. The bigger the violation, the longer it takes to identify and contain, and the more malicious the intent, the higher the cost to U.S. companies. Almost half (47%) of the organizations represented in the study identified the root cause of the data breach as a malicious or criminal attack.
The per capita cost of a data breach also varies by industry, with Health, Financial, Services, and Life Sciences in the top 25%:
The study also revealed that the most significant increases in preventive measures are endpoint security solutions and security intelligence solutions.
One of the largest financial impacts to the overall cost of a data breach is the loss of revenue from churned customers. Interestingly, research showed that having a senior level leader, such as a Chief Privacy Officer or Chief Information Security Officer, participate in communications and recovery initiatives helped mitigate the loss of customer trust and reduced churn. It also showed that the quicker companies identified and contained the data breach, the lower the overall costs.
The above statistics are just part of the compelling information covered in the IBM and Poneman Institute research report. The study is a must-read for IT Managers and System Administrators and covers why costs have increased, the impacts on customer churn, which industries are more vulnerable, and which solutions have become more critical to securing data and systems.
Automox is a global provider of patch management and endpoint protection solutions that give companies real-time access to the configuration and patch status of every endpoint, along with the ability to automate patch execution and policy enforcement. You can see for yourself with our 15 day free trial.