The 2019 report on the costs of data breaches was sponsored by IBM Security and researched by the Ponemon Institute in Traverse City, Michigan. Ponemon reached out to 507 companies around the world that sustained data breaches between July 2018 and April 2019 and conducted 3,211 separate interviews. Data breaches ranged from a low of 2,000 compromised records to slightly more than 100,000 records.
Numerous factors were examined such as legal, regulatory and technical costs, loss of brand equity, customer turnover and the drain on employee productivity. The study examined both accidental breaches and deliberate actions such as hacking.
The report found that the average data breach involved 25,575 computer records. It found that on average it took a company 279 days to realize that its data had been hacked or otherwise compromised and take action dealing with the breach. Each affected computer record cost companies an average of $150, according to the report.
The U.S. had the highest average cost of a data breach per company of $8.19 million, compared with an average worldwide cost per company of $3.92 million. The health care industry had the highest cost of all industries studied at $6.45 million per data breach, about 60% higher than the average of the other industries. Seventeen industries were examined, such as transportation, communication, pharmaceuticals and hospitality. When IBM began reporting on the costs of data breaches in 2006, the average impact on a U.S. business was $3.54 million.
The report said that the cost figures of data breaches that were studied do not apply to catastrophic mega data breaches, such those which affect major collectors of data such as Equifax or Facebook.
The study found that small and midsize businesses suffered the worst financial consequences from data breaches when viewed in the context of their financial situations. The average loss for companies with fewer than 500 employees was $2.5 million per breach, quite significant in view of the study categorizing these businesses as having annual revenues of less than $50 million.
This is the 14th year that IBM has issued the report and for the first time it examines the longer-term impacts of a data breach. While an average 67% of data breach costs were handled in the first year after the breach, 22% accrued in the second year with another 11% accumulating more than two years after the breach took place.
Malicious attacks, such as hacking via the internet, cost companies an average of $4.45 million, which was an average of $1 million more than the cost of data breaches resulting from system problems or human error. These inadvertent breaches were responsible for about 49% of the losses.
Having automated security technologies in place was a cost-saver, according to the report, with the average cost of a breach being cut to about $2.65 million. If a company made extensive use of encryption, the total cost of a data breach was cut by about $360,000.
The report said that an organization’s ability to respond effectively after a data breach is strengthened by the presence of an incident response (IR) team that follows a plan. Cost savings are produced when there has been extensive testing of the IR plan. Organizations conducting extensive testing of an IR plan had breach costs that were $1.23 million less than the costs faced by other organizations.
The 2019 report showed that a business is 31% more likely to experience a data breach today than it would have in 2014. Back then, an organization had a 22.6% chance of experiencing a data breach within a two-year period. In 2018, that increased to a 27.9% chance.
“Cybercrime represents big money for cybercriminals and unfortunately that equates to significant losses for businesses,” IBM’s Wendi Whitmore said. She is the global leader for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line and focus on how they can reduce these costs,” Whitmore said.