IBM Security on Wednesday released its latest report examining the costs and impact associated with data breaches. The findings paint a grim portrait of what the clean up is like for companies whose data becomes exposed — particularly for larger corporations that suffer so-called “mega breaches”, a costly exposure involving potentially tens of millions of private records.
According to the IBM study, while the average cost of a data breach globally $US3.86 million ($5.24 million) — a 6.4 per cent increase over the past year — costs associated with so-called mega breaches (an Equifax or Target, for example) can reach into the hundreds of millions of dollars.
The average cost of a breach involving one million records is estimated at around $US40 million ($54 million), while those involving 50 million records or more can skyrocket up to $US350 million ($475 million) in damages.
Of the 11 mega breaches examined by IBM, 10 were a result of criminal attacks.
The average amount of time that passes before a major company notices a data breach is pretty atrocious. According to IBM, mega breaches typically go unnoticed for roughly a year.
Loss of business remains one of the largest expenses in the wake of a high-profile breach. Companies that have suffered breaches involving 50 million stolen records or more can expect to lose up to $US118 million ($160 million) in business — a third of the cost associated with the incident.
Other key findings of the study include:
- The average time to identify a data breach is 197 days, and the average time to contain a data breach once identified is 69 days.
- Companies that contained a breach in less than 30 days saved over $US1 million ($1.4 million) compared to those that took more than 30 days ($US3.09 million [$4.2 million] vs. $US4.25 million [$5.8 million] average total).
- Each lost or stolen record costs roughly $US148 ($201) on average, but having an incident response team (surprising, not every company does) can reduce the cost per record by as much as $US14 ($19).
- The use of an AI platform for cybersecurity reduced the cost by $US8 ($11) per lost or stolen record.
- Companies that indicated a “rush to notify” had a higher cost by $US5 ($7) per lost or stolen record.
- US companies experienced the highest average cost of a breach at $US7.91 million ($10.4 million), followed by firms the Middle East at $US5.31 million ($7.2 million).
- Lowest total cost of a breach was $US1.24 million ($1.7 million) in Brazil, followed by $US1.77 million ($2.4 million) in India.
In the United States, costs associated with loss of business after a data breach are actually higher than the total cost of dealing with a data breach globally, and “more than double the amount of ‘lost business costs’ compared to any other region surveyed”.
There are many hidden costs associated with data breaches, said Wendi Whitmore, global lead at IBM X-Force, the company’s renowned security research division, including reputational damage, customer turnover and operational costs.
“Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” Whitmore said.
Download the full 2018 Cost of a Data Breach Study here.