Data breaches getting costlier, harder to detect and repair says IBM study

IBM's newly released annual survey of the financial consequences of data breaches on organizations found that the cost of a data breach has risen 12% over the past five years and that recovery can affect the bottom line for years.

Larry Ponemon, Chairman and Founder of the Ponemon Institute, the research think tank dedicated to advancing privacy and data protection practices that conducts the research for IBM, said:

This year, we found that the time it takes organizations to identify and contain a breach - what we call the data breach life cycle - is 279 days. The 2019 life cycle is 4.9 percent longer than the 266 day average in 2018. In addition, we found that the longer a breach's life cycle is, the greater the total cost. This is especially true in the case of malicious and criminal attacks, which take an average of 314 days to identify and contain.

The average breach now costs $3.92 million which reflects the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the report said. This year's report also found that the average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach.

Some of the top findings from this year's report are:

Malicious and criminal attacks were the leading root cause of data breaches in 2019 at 51 percent.Over 50 percent of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes. System glitches - breaches caused by technology failures not attributable to a human, such as a vulnerability - and human error - caused 25 percent of data breaches. Human error was the root cause of 24 percent of breaches. Ponemon added:

While much attention in the security world is placed on malicious attacks, it's worth noting that breaches caused by system glitches and human error can have consequences that are just as serious.

The bigger the breaches, the bigger the losses.While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million.

Preparation makes a huge difference.Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost-saving factors examined in the study. Companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs. $4.74 million). Extensive use of encryption was also found to reduce the total cost of a data breach by $360,000.Poneman added:

Several other cost-mitigating factors worth noting are business continuity management, a DevSecOps approach, artificial intelligence (AI) platforms and good, old-fashioned employee education.

But…

On the other side of the ledger, we found that the involvement of a third-party partner tends to increase the total cost of a data breach by about $370,000. Other factors found to increase the average total cost of a data breach include compliance failures, extensive cloud migration, operational technology (OT) infrastructure and system complexity.

Data breaches in the U.S. cost $8.19 million-more than double the worldwide average.

Healthcare breaches are the most costly.For the ninth year in a row, healthcare organizations had the highest cost of a breach - nearly $6.5 million on average (over 60% more than other industries in the study). Ponemon said.

Healthcare organizations in this year's study had an abnormal customer turnover of 7 percent, and financial services had abnormal customer turnover of 5.9 percent versus an average customer turnover of 3.9 percent. Lost business is the biggest contributor to data breach costs, accounting for 36 percent of the average total cost.

My take

Data breaches are an unfortunate fact of life for major global enterprises today and the report confirms that they are becoming more severe and more expensive. The increased scrutiny by government and regulators is certain to become another key financial factor in the coming years.

While the financial recovery costs can be quantified, the cost in lost customer loyalty and business is incalculable.

Data breaches can be particularly devastating for small and midsize businesses. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average - a crippling amount for small businesses, which typically earn $50 million or less in annual revenue.

The report provides valuable information on how companies can mitigate the costs of data breaches, most notably by mobilizing and testing an standing incident response team. In the study, organizations who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.

Interesting that the report doesn't specifically address why recovering from a data breach costs U.S. firms twice as much as the global average, although it does point out that using third-party consultants adds considerably to the costs.