One quarter of all data breaches last year were caused by human error. The average cost of all breach in the same time period was $3.92 million, a 1.5 percent increase from the year before.
Click to enlarge.
That’s according to the 14th annual Cost of a Data Breach report from the Ponemon Institute and IBM, measuring the impact of reported breaches between July 2018 and April 2019 at 507 organizations in 16 countries and regions and across 17 industry sectors. The report also found that the average total cost of a data breach continues to escalate over the long term: It has grown 12 percent over the past five years, up from $3.5 million in 2014.
Further, the amount of time it takes to remediate a data breach is growing as well. This year’s study shows that it takes an average of 279 days, which is 4.9 percent longer than the 266-day average in 2018.
Unsurprisingly, the report found that breaches stemming from malicious and criminal attacks (as opposed to, say, employee misconfigurations) take longer to mitigate, to the tune of 314 days on average to identify and contain. This is significant given that the cost of a breach with a lifecycle of more than 200 days is on average $1.2 million higher than those that are shorter.
Overall, malicious and criminal attacks are the leading root cause of data breaches in 2019 at 51 percent. System glitches caused a quarter (25 percent) of data breaches in 2019, and human error is the root cause of 24 percent of them.
Click to enlarge.
Some of the findings are consistent year-over-year; for instance, the most expensive country in terms of average total cost of a data breach is the U.S. at $8.19 million, more than twice the global average.
Healthcare remains the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million.
The report also took a look at what cost mitigations should be included in the equations. The impact of testing an incident response plan for instance was notable: Having one reduces the average total cost of a breach by $320,000, the report found. Even better and representing the most impactful cost-reduction factor was the formation of an incident response team, which reduced the average total cost of a data breach by $360,000.
Extensive use of encryption was also found to reduce the total cost of a data breach, by $360,000.
Other cost-mitigating factors of note include business continuity management, a DevSecOps approach, artificial intelligence (AI) platforms and employee education.
And finally, the report studied what it referred to as the “long-tail” consequences of a breach. In looking at breach costs over several years at 86 organizations, the report determined that the majority of breach costs occur in the first year after an incident, with a third being incurred more than a year after a breach.
In highly regulated industries like healthcare or financial services, legal and regulatory costs such as class action lawsuits and regulatory fines can elongate the duration of cost incursion and can balloon the costs themselves.
“Related to the increased cost of breaches in healthcare – make sense when one examines the volume and type of data stored,” George Wrenn, founder and CEO of CyberSaint Security, said via email. “Healthcare data is some of the most significant and yet the healthcare industry is struggling to implement standards that reflect the caliber of sensitive data that their systems process. Specifically for U.S. companies, this statistic should point to the need for greater awareness at the executive level of cybersecurity as well as the need to implement gold-standard frameworks such as the NIST Cybersecurity Framework to increase enterprise-wide cyber-resiliency.”
