Data breaches, security incidents in which an unauthorized entity gains access to sensitive and secure data, happen frequently in our increasingly digital world. In 2018 alone, the United States experienced 1,244 data breaches, which resulted in the exposure of 446.5 million records. These incidents can have severe financial impacts, both direct and indirect, on the companies that fall victim to them.
According to a study conducted by the Ponemon Institute called the 2018 Cost of a Data Breach Study, the global average cost of a data breach is $3.86 million. This is a 6.4 percent increase as compared to the 2017 version of the report. According to the most recent report, the average cost per compromised record is $148. Those numbers pertain to data breaches that affected 2,500 to 100,000 records.
The Ponemon Institute also looked at “mega breaches,” which are those that involve between 1 million and 50 million records. The study found that the average cost of a data breach involving 1 million records was $40 million, and the average cost of an incident that affected 50 million records was $350 million.
Table of Contents
- What Goes Into the Cost of a Data Breach?
- Cost of Data Breach by Region
- Cost Differences by Type of Breach
- How Can Companies Reduce Costs?
What Goes Into the Cost of a Data Breach?
Various factors impact how much a data breach costs. Some of these influences are directly related to the breach, such as the costs of technical investigations, notification of affected individuals, recovery and legal and regulatory activities. Others, such as reputation damage and lost business, are harder to see. The Ponemon Institute looked at many different factors when calculating data breach cost and found that these hidden factors are especially expensive and difficult to manage.
When looking at the costs of mega breaches, the researchers found that the average costs they calculated were higher than the costs that companies publicly reported. The study’s authors noted that this may be because public reports often include direct costs.
In the following sections, we’ll look at four categories of factors that go into data breach costs:
- Detection and escalation
- Notification costs
- Post data breach response
- Lost business
1. Detection and Escalation
The detection and escalation category includes costs related to enabling a company to detect and report a breach to the appropriate personnel. It includes costs such as:
- Investigative activities
- Assessment and audit services
- Crisis management
- Internal communications
The study looked at costs by country and region and found that Canada had the highest detection and escalation costs, while Brazil had the lowest. In Canada, the average cost for detection and escalation was $1.78 million. In Brazil, it was $370,000. The United States had an average detection and escalation cost of $1.21 million.
2. Notification Costs
Many data breach regulations require that companies notify the relevant regulatory authorities and the individuals whose data was compromised once they become aware of a data breach. Different regulations have different timeframes and rules for how companies must do this. Examples of notification costs include:
- Creating contact databases
- Sending out letters or emails, making phone calls or otherwise providing notice to individuals affected whose data a breach affected
- Setting up systems for inbound communication
- Determining notification requirements, working with outside experts and communicating with regulators
The Ponemon Institute study found that the United States had by far the highest notification costs at $740,000. This is likely due to the United States’ more stringent notification requirements as compared to other countries. India had the lowest notification costs at $20,000. Costs for other countries, especially those located in Europe, will likely rise before the next report due to the requirements of the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.
3. Post Data Breach Response
Post data breach response costs include costs related to helping affected individuals deal with the impacts of a breach, redress activities and fines. Examples of these kinds of costs include:
- Inbound communications and help desk activities
- Identity protection and credit report monitoring services provided to customers
- Legal costs
- Discounts on products
- Fines from regulators
According to the Ponemon Institute’s findings, the United States and the Middle East have the highest post data breach response costs. U.S. data breaches cost on average $1.76 million. In the Middle East, they cost $1.47 million. The study notes that costs are likely higher in the U.S. and the Middle East because companies located there are more likely to invest in activities aimed at minimizing customer loss while also quickly resolving the breach. Brazil had the lowest post data breach response costs at $370,000.
4. Lost Business
Lost business is one of the most significant costs associated with data breaches. For mega breaches, the study found that one-third of the cost came from this category. For breaches that affected 50 million records, the study’s authors estimated that lost business resulted in approximately $118 million in costs. Expenses included in the lost business category include:
- The cost of business disruption and revenue losses due to system downtime
- The cost of lost customers
- Costs associated with acquiring new customers
- Damage to reputation
Companies that lost less than one percent of their customers as a result of a data breach has an average total cost of $2.8 million, according to the study. Those that lost four percent or more saw an average total cost of $6 million — a $3.2 million difference.
For the 477 companies surveyed for the study, the global average churn rate was 3.4 percent. France, Japan and Italy had the highest abnormal churn, which is the greater-than-expected loss of customers following a breach as defined by the study’s authors. The lowest abnormal churn rates were in Turkey, South Korea and Australia.
Businesses in the U.S. had the highest costs due to losing customers at $4.2 million, which is higher than the global average for the total cost of a breach. This number is also more than double the lost business costs of any other country included in the study. These costs may be higher in the U.S. because customers have more options and less loyalty to companies. U.S. breach notification regulations may also mean that customers have more awareness of data breaches and a higher expectation for companies following a breach.
Cost of Data Breach by Region
The study also separates total average costs by country and region. Overall, it found that breaches are most expensive in the United States and the Middle East and least expensive in Brazil and India. The average cost of a breach for U.S. companies was $7.91 million. For companies in the Middle East, it was $5.31 million. In India, the average total cost was $1.77 million, while in Brazil, it was $1.24 million.
The United States also has the highest cost per compromised record, followed by Canada and Germany. Here are the top three:
- U.S.: $233
- Canada: $202
- Germany: $188
And here are the bottom three, where the capital costs were lowest:
- Turkey: $105
- India: $68
- Brazil: $67
Canada had the highest direct costs from data breaches, which includes thing like investigative activities, sending out notifications, hiring a law firm and providing identity protection services to customers. The average direct costs per each record in Canada equal $81. The United States had the highest indirect costs, which include lost business, damaged reputation and employees’ time, effort and other resources. Indirect costs per record in the U.S. were $152 on average.
The average size of a data breach also varied between region. Overall, the average data breach size was 24,615, a 2.2 percent increase from the 2017 study. Companies in these areas had the largest average number of affected records per breach:
- Middle East: 36,451
- India: 34,110
- U.S.: 31,465
Here’s where the average number of affected records per breach was smallest:
- Japan: 19,200
- Australia: 19,422
- South Africa: 21,090
Even though the average costs in some countries are relatively low compared to those in others, the impacts of breaches can still be quite significant there. Any price is too high to pay for a data breach, especially when it can be prevented.
Cost Differences by Type of Breach
The type of data breach may also impact how costly it is. The Ponemon Institute report looked at three root causes of breaches — breaches caused by malicious or criminal attacks, those caused by system glitches and those caused by human factors — and compared the costs.
The report found that breaches caused by malicious or criminal attacks were substantially more expensive than those caused by human factors or system glitches. The average per-record cost for this type of breach was $157. Although the average costs of malicious or criminal attacks varied by region, this kind of attack is consistently the most expensive across regions. The United States had the highest cost per record for this type of breach at $258, while Brazil had the lowest at $73. Criminally motivated or malicious attacks are also the most common cause of data breaches, according to the study. Globally, 48 percent of breaches were caused by a malicious or criminal attack.
The next most expensive data breaches were those caused by system glitches, which includes IT issues and business process failures. This type of breach cost an average of $131 per record. This kind of incident makes up about 25 percent of all breaches.
Breaches caused by human factors such as errors or negligence on the part of employees or contractors were the least expensive of the three types with an average per-record cost of $128. Human factors cause approximately 27 percent of data breaches.
Why do criminally motivated breaches tend to cost more? It may be because they are harder to identify since they are often designed to avoid detection. These types of breaches are also harder to contain and remediate even after they’re detected. This may be because they often cause more extensive damage than other types of breaches.
How Can Companies Reduce Costs?
So, how can companies reduce the cost of security breaches that they may experience? Investing in technologies and processes that cut down on the time it takes to detect and contain a breach as well as meet regulatory requirements can make a significant difference in cost.
The Ponemon Institute study found that there’s a link between the time it takes a company to detect a breach and the cost of that breach. If the average time to detect a breach was under 100 days, the estimated average cost of data loss was $3.11 million. If the average detection time was more than 100 days, the estimated average cost was $4.21 million — a $1.1 million difference. According to the study, the average time to identify a data breach is 197 days. The longer a breach goes undetected, the more time there is for a hacker to cause damage or for unauthorized users to find accidentally exposed records. This is why it’s important to invest in tools that can help with detecting and investigating security incidents.
The time it takes to contain a breach also affects the cost. The study found that companies that contained a breach in less than 30 days had an estimated average total cost of $3.09 million. For companies that took more than 30 days, it was $4.25 million, a difference of more than $1 million. The average time to contain a breach was 69 days. This suggests that companies can save money by investing in tools and processes that can help contain security breaches.
The study identified several specific tools, processes and systems that could help reduce data breach costs, including:
- The report found that having an incident response team saved companies the most money. It reduced costs by $14 for each record affected.
- The extensive use of encryption led to a cost reduction of $31.10 per record.
- The use of business continuity management, a framework for identifying risk of exposure to threats such as security breaches, led to savings of $9.30 per record.
- Adequate employee training reduced costs by $9.30 per record as well.
- Participating in threat information sharing led to cost reductions of $8.70 per record.
- Using a cybersecurity platform that incorporates AI can reduce costs by $8 per record. The extensive use of automated cybersecurity technologies can reduce the cost of a data breach by more than $1.5 million. The study found that companies that used automated technologies had average costs of $2.88 million, compared to $4.43 million for companies that did not use these technologies.
- The use of security analytics resulted in savings of $6.90 per record.
- The extensive use of data loss prevention, strategies or software that aim to prevent users from sending sensitive or critical information outside of the company’s network, can save companies $6.80 per record.
Protect Your Company With BlackStratus
At BlackStratus, we offer several technologies that can help you protect against data breaches and reduce the costs associated with them. Our LOGStorm solution can help you to enhance your security and simplify compliance by serving as a reliable way to collect, store and report security event data. A powerful, flexible and cost-effective log management and log monitoring solution, LOGStorm combines comprehensive log management with correlation technology, real-time log monitoring and an integrated response system. LOGStorm offers:
- Detailed, real-time visibility into your organization’s security and compliance posture
- World-class speed and performance
- Incident event data storage
- Prioritized threat identification, alerts and remediation guidance
- Comprehensive, flexible and automated log management reporting
- On-board log storage with easy access to event logs
- Guide to Detecting and Preventing Ransomware
- How Much Should Your Company Invest in Cybersecurity?
- Breach Discovery: How Long Does Detection Take?
- What Is the Difference Between a Security Incident and a Security Breach?