Unfortunately data breaches are a regular occurrence. The average cost of a data breach worldwide is now $3.62 million, down 10% from last year. However, the cost of breaches vary by region.
Amid all the ransomware hysteria created by the global ransomware attacks as of late, two recent data breaches have focused attention back to the process of securing company data. Two weeks ago, Verizon confirmed that the data of as many as six million customers was exposed online due to an improper handling incident of an employee. The exposed data included the active PINs of these customers. Although Verizon was quick to state that the PINs alone cannot access online accounts, chances are the majority of these customers use the same PINs for other accounts. This is why data breaches such as these have lasting effects.
At the same time, a breach of 14 Trump properties was detected last month although the data breach occurred months earlier. Whoever the hackers were, they hit the jackpot, accumulating a treasure chest of credit card numbers, expiration dates, security codes, social security numbers, home addresses and password information just to skim the surface. Yes, even the President of the United States is not immune from a data breach.
Data breaches can be astronomically expensive for organizations afflicted and some never bounce back. According to a report conducted by a joint effort between IBM and the Ponemon Institute entitled, The 2017 Cost of Data Breach Study: Global Overview, the total cost of a data breach is $3.62 million on average. The average cost per data record is $141. The report is based on a study of 419 companies located in 13 countries or regions that had experienced a data breach.
The True Cost of a Data Breach
Determining the true cost of a data breach is difficult as related costs are incurred on so many fronts. In order to put a hard number to paper, the team broke down the cost structure accordingly:
- Direct cost – the direct expense outlay to accomplish a given activity.
- Indirect cost – the amount of time, effort and other organizational resources allocated to data breach resolution, but not as a direct cash outlay.
- Opportunity cost – the cost resulting from lost business opportunities as a consequence of negative reputation effects after the breach is reported to victims
They then outlined all of the tasks that are normally associated with the discovery of and the immediate response to the data breach which include:
- Conducting investigations and forensics to determine the root cause of the data breach
- Determining the probable victims of the data breach
- Organizing the incident response team
- Conducting communication and public relations outreach
- Preparing notice documents and other required disclosures to data breach victims and regulators
- Implementing call center procedures and specialized training
What to do in the Aftermath of a Discovery
They also broke down the costs of the tasks normally conducted in the aftermath of a discovery. This latter group of activities included:
- Audit and consulting services
- Legal services for defense
- Legal services for compliance
- Free or discounted services offered to victims of the breach
- Identity protection services
- Lost customer business based on calculating customer churn or turnover
- Customer acquisition and loyalty program costs
One finding that was common for all of the involved corporate participants was that the sooner a breach is identified and contained, the lower the costs. The time window of discovery for the 419 companies measured between 24 and 546 days, creating a mean time of 191 days. From discovery, the mean time to contain the breach was 66 days with a range of 10 t 164 days. This statistic illustrates just how difficult it is to shore up a breach from start to finish.
When comparing the cost of a data breach amongst different countries and regions, the United States proved the costliest. The U.S. topped the list in both of the following categories.
Cost of a data breach per capita
- The U.S. had the highest average per capita cost - $225
- Canada was second with a cost of $190
- India proved the least costly at $64
Total organizational cost of a data breach
- The U.S. had the highest overall cost of $7.35 million
- The Middle East was second with a cost of $4.94 million
- India again proved the least costly at $1.68 million
On closer examination, it was not direct costs that propelled the United States to the top of both lists. It was indirect costs, primarily the costs of litigation expenses, compliance fines, loss of business as well as the offering victims identity protection service. According to a recent article in Business Insider, companies have had to pay upwards of $10 million to settle class action lawsuits after a large data breach. Home Depot reported that the total costs incurred for their data breach in 2014 amounted to $263 million. Target’s total cost is assessed at $291 million.
Two Ways to Reduce these Costs
Any company that retains data silos of personal information should encrypt the data. Data that is encrypted can be stolen, but it cannot be accessed. Encrypted data is useless data if you do not have the key to decrypt it. Data should be encrypted throughout the enterprise whether it resides on a database server, laptop or cloud drive. With the EU’s General Data Protection Regulation coming into force next year, EU companys may find this advantage short-lived. Under GDPR, firms could be fined up to €20m (£17.6m) or 4 per cent of annual turnover, whichever is higher.
Stay up to date on all the latest cybersecurity threats. Sign up to the TitanHQ newsletter below.