Hidden costs associated with larger data breaches are putting targeted companies at an even bigger financial risk.
The average cost of a data breach globally is $3.86 million, a 6.4% increase from 2017. However, hidden costs associated with mega breaches are causing additional financial damage, according to “The 2018 Cost of a Data Breach Study,” from IBM Security.
According to data, mega breaches – which range from 1 million to 50 million lost records – cost companies between $40 million and $350 million, respectively. One-third of the cost of mega breaches were derived from lost business. This equates to nearly $118 million for breaches of companies with 50 million lost records.
In the past five years, the amount of mega breaches has nearly doubled from just nine in 2013, to 16 in 2017. Due to the small amount of mega breaches in the past, the study historically analyzed these data attacks at around 2,500 to 100,000 lost records.
The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks, as opposed to system glitches or human error. The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).
Costs continue to rise among data breaches of less than 100,000 records, as well. The average cost of a data breach was $3.86 million, compared to $3.50 million in 2014 – nearly a 10% net increase over the past five years of the study.
Costs are also heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time. The average time to identify a data breach was 197 days, and the average time to contain a data breach once identified was 69 days. Companies who contained a breach in less than 30 days saved over $1 million, compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).
The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average. The factors which increase or decrease this cost:
• Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record.
• The use of an artificial intelligence (AI) platform for cybersecurity reduced the cost by $8 per lost or stolen record.
• Companies that indicated a "rush to notify" had a higher cost by $5 per lost or stolen record.
Organizations that had extensively deployed automated security technologies, such as AI, machine learning, and analytics to augment or replace human intervention in the identification and containment of a breach, saved over $1.5 million on the total cost of a breach, which is $2.88 million. This is compared to $4.43 million for those who had not deployed security automation, the study revealed.
"While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS).
"The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs,” she added. “Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake."