2019 Report Quantifies Data Breach Costs, Suggests Cost Mitigators

Organizations big and small are making significant investments in cybersecurity. Yet, unlike other investments, it’s difficult to assess a company’s return on investment for its cybersecurity spending. And while businesses in regulated industries must invest in cybersecurity to remain in compliance with prevailing laws and therefore stay in business, there is no such straight line between cybersecurity and profitability.

Instead, cybersecurity investment is an opportunity to prevent loss – by reducing the risk of a cyber incident and minimizing the cost when one occurs. The 2019 Cost of Data Breach Report by the Ponemon Institute and IBM Security is an important resource for any organization attempting to quantify the value of a cybersecurity investment and the amount of its exposure in the event of a data breach. You can obtain a copy of this informative report by registering here.

The report analyzed data from more than 500 companies around the world that had experienced a cyber breach from July 2018 through April 2019. That data was compared to the information collected from different set of companies that had been surveyed the prior year, and in years past for over a decade.

Generally, the report concluded that the average size of a data breach is 25,575 records at an average cost of $150 per lost record. (Obviously, these numbers were not indicative of the catastrophic breaches in that time period.) While the average total cost of a data breach worldwide was $3.92 million, it was highest in the U.S. where it averaged $8.19 million. Notably, in 2019, organizations had an almost 30% greater chance of experiencing a data breach within the next two years. The report noted that organizations in the 2019 study were nearly one-third more likely to experience a breach within two years than they were in 2014.

Key Findings

With those frightening statistics in mind, the report provided certain key findings. Perhaps most surprisingly, the report concluded that lost business was the biggest financial consequence to companies that suffered data breaches. The report found that 36 % of the cost of a data breach was attributable to lost business resulting from customers’ eroded trust. Moreover, breach costs impacted organizations for years after the incident itself. Indeed, the report noted that more than one-third of the cost of a data breach occurred in the second and third year after a breach. This long-term impact was found to be particularly acute in highly regulated industries, like healthcare and finance. The report also concluded that smaller organizations have higher costs relative to their larger organizations, when the cost of the breach is assessed on a per-employee basis. As a result, smaller organizations may be hampered in their ability to recover financially from a data breach incident.

The report concluded that the “lifecycle” of data breaches had grown longer in the past year. Data breach lifecycle is the time between the discovery of a breach incident and its containment. It is an important metric for entities to watch, since it has been established that the faster a data breach is identified and controlled, the lower its cost. For example, in 2019, breaches with a lifecycle of less than 200 days were 37% less costly than those in excess of 200 days.

Next, the report considered the sources of data breaches during the relevant time. It stated that “malicious attacks” have become the most common and most costly source of breaches. Indeed, malicious attacks have surged from being the cause of only 21% of incidents in 2014 to 51% of incidents in 2019. Moreover, breaches caused by malicious attack were 27% more costly than those caused by human error and 37% more costly than those caused by system glitches. Nevertheless, inadvertent breaches remained the root cause of 49% of all breaches, which were divided about equally between those caused by human error (such as phishing) and system glitches.

Cost Factors to Watch

There were 26 cost factors studied for the report, many of which were shown to have profound impact on the costs incurred in responding to a data breach incident. On the one hand, recent and substantial cloud migration, system complexity and regulatory compliance failures were all noted to be “cost amplifiers.” Costs were also noted to be 95% higher for organizations that did not deploy automated security as compared to those with fully deployed automation.

Other factors were considered to be “cost mitigators” that helped to reduce costs “preventatively or in the aftermath of a breach.” Wide use of encryption and business continuity management after a breach had the greatest impact on breach costs containment. Data loss prevention, threat-intelligence sharing and integrated security into the software development process were likewise noted to be “cost mitigators.” The presence of an incident response plan, especially when accompanied by an identified incident response team and testing of the response system before an incident occurred, were important tools to help entities respond faster, contain the breach sooner and mitigate the total cost.

How to Minimize Financial Consequences

The report’s conclusion outlines steps that organizations have taken that appear to have helped them reduce data breach costs. Although no single cybersecurity program can eliminate the risk of a data breach and the cost of responding to one, the report offers the following strategies for entities to consider:

• Designate an incident response team and incident response plan that is regularly tested;
• Delegate privacy responsibilities to specific individuals whose duties include preservation of trust and reduction of customer loss in the event of breach;
• Make appropriate use of encryption for sensitive data;
• Invest in technology to improve rapid detection and containment of a data breach when it occurs;
• Invest in governance, risk management and compliance programs;
• Minimize IT complexity and maximize security.

Businesses may be hesitant to invest their hard-earned profits in preventative cybersecurity. Given the high cost of responding to a data breach, however, and a breach’s potentially disastrous impact on a business’s bottom line for years to follow, “an ounce of prevention is worth a pound of cure.” Businesses should take steps now to assess their exposures, enact reasonable policies and practices and mitigate the cost of a data breach.