IBM and Ponemon Institute are pleased to release the 2015 Cost of Data Breach Study: Global Analysis. According to our research, the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million . The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.
In the past, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks. However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organizations.
In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical. As evidence, CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security.
For the second year, our study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in our research, we believe we can predict the probability of a data breach based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, organizations in Brazil and France are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.
In this year’s study, 350 companies representing the following 11 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia) and, for the first time, Canada. All participating organizations experienced a data breach ranging from a low of approximately 2,200 to slightly more than 101,000 compromised records4 . We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.
In this report, for the first time, we will examine two factors that affected the financial consequences of a data breach. The first is executive involvement in their organization’s IT security strategy and response to data breaches. The second is the purchase of cyber insurance to mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered by business leaders as a purely technology issue to a larger business risk. This shift has spurred increased interest in cyber insurance.
The three major reasons contributing to a higher cost of data breach in 2015:
Cyber attacks have increased in frequency and in the cost to remediate the consequences. The cost of data breaches due to malicious or criminal attacks increased from an average of $159 in last year’s study to $170 per record. Last year, these attacks represented 42 percent of root causes of a data breach and this increased to 47 percent of root causes in this year’s study.
The consequences of lost business are having a greater impact on the cost of data breach. Lost business has potentially the most severe financial consequences for an organization. The cost increased from a total average cost of $1.33 million last year to $1.57 million in 2015. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business.
Data breach costs associated with detection and escalation increased. These costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors. This total average cost increased from $.76 million last year to $.99 million in this year’s report
More companies are integrating forensic tools into their incident response procedures. In the long-term, deployment of these solutions will prove beneficial to companies because they will provide a clearer picture of the root causes of their data breaches. However, in many cases, these tools enable companies to discover the full extent of the breach. This may result in the reporting of higher data breach costs than in previous years.
NOTE: You may have heard about a Verizon report about data breach costs that came to a different conclusion than our report. We discuss the differences in methodology at this blog post. And we have a few additional observations about Verizon’s report at this post.
- Data breaches cost the most in the US and Germany and the lowest in Brazil and India. The average per capita cost of data breach is $217 in the US and $211 in Germany. The lowest cost is in Brazil ($78) and India ($56). The average total organizational cost in the US is $6.5 million and in Germany $4.9 million. The lowest organizational cost is in Brazil ($1.8 million) and India ($1.5 million).
- The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68). The retail industry’s average cost increased dramatically from $105 last year to $165 in this year’s study.
- Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $134 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).
- Malicious or criminal attacks vary significantly by country. Fifty-seven percent of all breaches in the Arabian Cluster and in France 55 percent of all breaches are due to hackers and criminal insiders. Only 32 percent of all data breaches occurring in India are due to malicious attacks and in Brazil it is 30 percent. However, India and Brazil have the most data breaches due to system glitches. Breaches due to human error are highest in Canada.
- Board involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, we looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.5 per record. Insurance protection reduces the cost by $4.4 per record.
- The loss of customers increases the cost of data breach. Certain countries have more problems retaining customers following a data breach and, therefore, can have higher costs. These are France, Italy, UK and Japan. Countries with the lowest churn rate are Canada, India and Brazil. Industries with the highest churn are health, pharmaceuticals and financial services.
- Notification costs remain low, but costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.45 million in 2014 to $1.57 million in 2015. Notification costs have declined from $0.19 million in 2014 to $0.17 million in this year’s study.
- Certain countries are more likely to have a data breach. Last year’s study introduced a new analysis on the likelihood of one or more data breach occurrences. It is interesting that the likelihood of a data breach varies considerably across countries. Brazil and France are most likely to have a data breach involving a minimum of 10,000 records. Canada and Germany are least likely to have a data breach.
- Time to identify and contain a data breach affects the cost. For the first time, our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. As discussed earlier, malicious or criminal attacks are the most costly data breaches.
- Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.1 per compromised record.
To read the entire report, visit IBM’s Cost of a Data Breach website.