IBM and Ponemon have released their ninth annual Cost of Data Breach Study: Global Study. According to the research, the average total cost of a data breach for the companies participating in this research increased 15% to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145 in this year’s study.
For the first time, the study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in the research, Ponemon believe they can predict the probability of a data breach based on two factors:
- How many records were lost or stolen
- The company’s industry
According to the findings, organizations in India and Brazil are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Australia are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.
In this year’s study, 314 companies representing the following 11 countries participated:-
- Saudi Arabia (Saudi Arabia and the United Arab Emirates were combined as the Arabian region)
- United Arab Emirates
- United Kingdom
- United States
All participating organizations experienced a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records. Ponemon define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.
As the findings reveal, the consolidated average per capita cost of data breach (compiled for eleven countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face as well as the data protection regulations and laws in their respective countries.
In this year’s global study, the average consolidated data breach increased from $136 to $145
However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.
Ponemon Institute conducted its first Cost of Data Breach study in the United States nine years ago. Since then, they have expanded the study to include the United Kingdom, Germany, France, Australia, India, Italy, Japan, Brazil and, for the first time this year, United Emirates and Saudi Arabia. To date, 1,279 business and government (public sector) organizations have participated in the benchmarking process since the inception of this research series.
This year’s study examines the costs incurred by 314 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the 1,690 individuals interviewed over a ten-month period in the companies that are represented in this research.
The following are the key findings, measured in US dollars:
- The most and least expensive breaches. German and US companies had the most costly data breaches ($201 and $195 per record, respectively). These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million). The least costly breaches occurred in Brazil and India ($70 and $51, respectively). In Brazil, the average total cost for a company was $1.61 million and in India it was $1.37 million.
- Size of data breaches. On average, U.S. and Arabian region companies had data breaches that resulted in the greatest number of exposed or compromised records (29,087 and 28,690 records, respectively). On average, Japanese and Italian companies had the smallest number of breached records (18,615 and 19,034 records, respectively).
- Causes of data breaches differ among countries. Companies in the Arabian region and in Germany were most likely to experience a malicious or criminal attack, followed by France and Japan. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure and UK companies were more likely to have a breach caused by human error.
- The most costly data breaches were malicious and criminal attacks. Consolidated findings show that malicious or criminal attacks are the most costly data breaches incidents in all ten countries. U.S. and German companies experience the most expensive data breach incidents at $246 and $215 per compromised records, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $77 and $60 per capita, respectively.
- Factors that decreased and increased the cost of a data breach. Having a strong security posture, incident response plan and CISO appointment reduced the cost per record by $14.14, $12.77 and $6.59, respectively. Factors that increased the cost were those that were caused by lost or stolen devices (+ $16.10), third party involvement in the breach (+ $14.80), quick notification (+ $10.45) and engagement of consultants (+ $2.10).
- Business continuity management reduced the cost of a breach. For the first time, the research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $8.98 per compromised record.
- Countries that lost the most customers following a data breach. France and Italy had the highest rate of abnormal customer turnover or churn following a data breach. In contrast, the Arabian region and India had the lowest rate of abnormal churn.
- Countries that spent the most and least on detection and escalation. On average, German and French organizations spent the most on detection and escalation activities such as investigating and assessing the data breach ($1.3 million and $1.1 million, respectively). Organizations in India and the Arabian region spent the least on detection and escalation at $320,763 and $353,735 respectively.
- Countries that spent the most and least on notification. Typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. U.S. and German organizations on average spent the most ($509,237 and $317,635 respectively). Brazil and India spent the least amount on notification ($53,772 and $19,841, respectively).
- Will your organization have a data breach? As part of understanding the potential risk to an organization’s sensitive and confidential information, we thought it would be helpful to understand the probability that an organization will have a data breach. To do this, we extrapolate a subjective probability distribution for the entire sample of participating companies on the likelihood of a material data breach happening over the next two years. The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22%. In addition to overall aggregated results, we find that the probability or likelihood of data breach varies considerably by country. India and Brazil have the highest estimated probability of occurrence.
The full report can be obtained here.