Average Cost of Breach Goes Down For the First Time Ever

The good news is the cost of a data breach is down double-digits, the bad news the size and scope of breaches is creeping up.

NEW YORK–The global average cost of a data breach last year dropped 11.4 percent from 2015 to $3.6 million. The reduction is attributed mostly to a strong U.S. dollar, with wins also offset by a 1.8 percent increase in the size of breaches in 2016.

The numbers come from Peter Allor, senior cyber security strategist, with IBM Security, who at the Borderless Cyber event, discussed a just-released IBM-sponsored Ponemon Institute Cost of a Data Breach Study.

In a data-heavy talk today, Allor noted U.S. residents have a one-in-four chance of becoming a breach victim over the next two years. Those same individuals have an 2.1 percent increase in the likelihood of a recurring material data breach. People living in South Africa are in the highest risk pool with a 41 percent chance of being breached, followed by India (40 percent) and Brazil (39 percent). Canadians and Germans are the least likely to be breached, both with a 15 percent odds.

For businesses, he said, the loss of customers is the biggest contributor to the total cost of a breach.

“When you look at loss of business costs, breaches create much higher rates of turnover or churn. The question is, what is the cost of gaining a new customer to replace a lost customer and how much was lost in opportunities?” Allor said. That drop in customers occurs approximately 170 days after the initial breach.

By IBM’s calculations, loss of business represents 41 percent of breach’s impact. That’s followed by 27 percent of costs going toward forensics and determining the root cause of an incident. About 25 percent is spent on help desk support, legal costs and identity protection services. About 3.6 percent is spent on disclosure notifications to victims and regulators.

Interestingly, the report found that when businesses identified and contained a breach in under 100 days it significantly reduced the overall costs of the breach by as much as 26 percent.

When it comes to how companies are getting breached, malicious attackers or insiders are the top culprits representing 47 percent of breaches. “Malicious insider understands where and how the internal data is stored,” Allor said. “They know how you protect the data.”

After hackers, human error such as those tied to phishing are tied to 28 percent of breaches, followed by “system glitches” representing 25 percent. “A system glitch is an IT process or business process just failing,” he said.

So what actually lowers the cost of a data breach? According to the Cost of a Data Breach Study, having an incident response team in place, extensive use of encryption and employee training helps the most. Factors increasing the cost of a breach, after the fact, are third-party involvement, extensive cloud migration and compliance failures, according the report.

Harder-to-estimate losses to business, and not captured in the study, are reputational losses that may have long term impact on a company, said Allor.

Suggested articles