Do you have any idea how much a data breach can cost your business? To begin, let's quickly clarify what exactly a data breach is. A data breach happens when data from a person, customer, or company (such as name, medical record, bank and financial data, etc.) is put at risk and exposed in an untrusted environment. It could be due to a hacker attack, human error or system glitch. If this description made a data breach look like a big problem, it’s because it really is. Data breaches may be responsible for financial losses, credibility damages and even business closure.
We know you're curious about costs, so let’s get to it. A recently released report by the Ponemon Institute, on behalf of IBM, shows that the average cost of a data breach is around USD 3.9 million. The numbers varies from country to country, the highest being in the US, with an average cost of USD 8.19 million, while the lowest is in Brazil, with an average cost of USD 1.35 million.
These figures were based on data collected from 507 companies from 16 countries and regions, spread across 17 different industries. They all went through a data breach episode between July 2018 and April 2019.
In addition to the average cost of a data breach, the study brought several other interesting points that you can check out below. We've highlighted some of them, such as costs by company size and industry, incident response time, causes and also factors that helped mitigate the damage.
It’s also important to highlight everything that’s counted as a data breach cost. It includes costs to detect and report the breach; to notify users and regulators; to put in place a response plan and afford fines, legal fees, and compensation to affected clients; and, especially, lost business. Lost business is responsible for the main costs of a data breach, and includes, for example, lost costumers and losses due to business disruption and system downtime.
Check out the highlights of the report on data breach cost
Small businesses have high losses
Contrary to what we might imagine, the high costs of a data breach episode are not restricted to large corporations. Companies with less than 500 employees had an average cost of around USD 2.74 million, and companies with 500 to 1,000 employees reported USD 2.65 million. It’s a significant amount for small and medium businesses (SMBs).
In addition, SMBs have a disproportionately higher data breach cost per employee when compared to enterprises. Check it out: the study reported costs of USD 204 per employee for companies with more than 25,000 employees, compared with USD 3,533 per employee for companies with 500 to 1,000 employees. It’s clear, then, that for SMBs the financial impact of a data breach may be irreparable.
Costs vary according to the industry
The study analyzed companies from 17 different industries. It found out that the highest costs from a data breach episode occurred in the most regulated industries, with more rigorous regulatory requirements.
The five industries with the highest average cost per data breach episode, measured in millions, were health (USD 6.45), financial services (USD 5.86), energy (USD 5.60), industrial (USD 5.20) and pharmaceuticals (USD 5.20). The lowest average costs were in media (USD 2.24), hospitality (USD 1.99), retail (USD 1.84) and research (USD 1.65), as well as the public sector (USD 1.29), which usually has lower costs because it doesn’t experience customer loss the way companies do.
Response time influences costs
Another item reported on the study was the response time and the data breach lifecycle, which is the time between the day the incident occurs and the day it’s finally contained. This is an important factor because it directly influences the data breach financial impact. The faster a breach is identified, the lower the cost.
On average, the lifecycle of a data breach episode in 2019 was 279 days. Identifying a breach took an average of 206 days, plus other 73 days to contain it.
Data breaches in healthcare companies had the worst response time. According to the report, the mean time to identify a breach was 236 days, and the mean time to contain it was 93 days.
Just take a look at the financial impact this might have: breaches that took less than 200 days to detect and contain cost about USD 1.2 million less than those that took longer. That’s a 37% reduction in the average cost, from USD 4.56 million to USD 3.34 million.
Malicious attacks are behind most data breaches
There’s a cause behind every data breach episode, be it a malicious attack, a human error, or a system error. Most of the breaches (51%) analyzed by the study occurred due to a malicious attack. In terms of costs that’s worrying, since breaches caused by attacks took longer to detect and contain (314 days, compared to an average of 279 days) and cost 37% more than breaches caused by system glitches.
In addition, breaches caused by human error may also have a link to a malicious attack. That’s because the study included in the human error category people who were victim of phishing attacks or who had their equipment infected, therefore inadvertently allowing for sensitive data exposure.
Prevention is key to reducing damage
If you are by now a little creeped out after so many scary numbers, rest assured that not all is lost. Another point highlighted in the report is that prevention can greatly reduce the costs of a data breach.
The first tip is: set an incident response plan, as we’ve already talked about in this post, assemble the team responsible for executing this plan and test it. According to the study, companies that had an incident response team and tested their incident response plan with simulations and exercises had a USD 1.23 million reduction in the average cost of a data breach episode.
Another important factor is investing on security elements such as encryption, Data Loss Prevention (DLP), threat intelligence sharing and DevSecOps. These were all factors that helped mitigate costs before or after a data breach, especially encryption, which provided the most savings. In addition, a Business Continuity Management following the breach episode also helped to reduce costs.
Still talking about security, another factor pointed out by the study as a cost mitigator was the use of automated security solutions that reduce the need for human intervention. In this case, we're talking about solutions that use artificial intelligence, machine learning, automatic incident response, etc. Companies that didn’t use automated security had 95 percent higher costs in case of data breaches than companies with fully-deployed automation.
This shows the importance of investing in security, which can lower costs and help prevent episodes such as data breaches. As the study has shown, a breach can occur with companies of all sizes, causing significant financial damage to small and medium businesses as well.
Click here to view the 2019 Cost of a Data Breach Report.
If you want to know more about how to protect your company, please contact us. Gatefy's team is specialized in cybersecurity and can help your business be better prepared for cyber threats.