Ponemon Institute and IBM Security’s 2019 Cost of a Data Breach Report examines the impact of data breaches on organizations across the globe. The report reflects decades’ worth of research and metrics across multiple industries, including financial services and healthcare. While the research behind the report continuously evolves as technology and data regulations change, it’s clear that data breaches cause severe consequences. Fortunately, there are ways for organizations to mitigate the associated costs and enhance their security architecture to help prevent breaches in the first place. But first, let’s examine the key findings from this year’s report to understand the state of data breaches in 2019.
Key findings from the 2019 Cost of a Data Breach Report
The 2019 cost of a data breach is $3.92 million, on average. With the median size of a data breach containing 25,575 compromised records, that calculates to $150 in costs per lost record. Whether an organization has five or 5,000 employees, the expenses required to recover from a breach – compliance fines, legal fees, work hours used on recovery efforts, reputational damage – are significant and can lead to financial trouble. For American businesses, the damage is severe; the most expensive country for a data breach is the United States at an average of $8.19 million. And healthcare companies are the most expensive industry with an average breach cost of $6.45 million. While every organization needs to take precautions to avoid a breach, it’s particularly crucial for businesses in highly regulated industries to extend an extra level of data security because the consequences of a breach are even more severe when considering compliance penalties.
Loss of customer trust was the biggest contributor to data breach costs
Loss of customer trust leads to major financial consequences; on average, organizations saw $1.42 million in costs for lost business, making up nearly 40% of the total average cost of a data breach. Overall, breaches were responsible for an unusual customer turnover rate of 3.9%. However, organizations with a turnover rate of 1% averaged a cost of $2.8 million for a breach while companies with a turnover rate of 4% experienced an average cost of $5.7 million, which is 45% higher than the 2019 cost of a data breach.
The importance of maintaining consumer trust is reflected in the significant impact that data breaches have on organizational turnover. To maintain trust, companies must establish a culture of privacy that starts at the top and permeates every aspect of the business.
Data breaches have long-lasting impacts on companies
In recent years, the study has looked at the long-term impacts of data breaches. Long after an actual incident, organizations feel the impact. Nearly one-third of data breach costs continued to affect a company beyond one year after the breach occurred. In highly regulated industries such as healthcare or financial services, these long-tail costs actually increased during the second and third years after a breach, likely due to compliance fines and loss of trust among customers.
Data breach lifecycles are increasing
A data breach lifecycle begins when a breach is detected and concludes when it is contained. The average full lifecycle period has grown from 266 days in 2018 to 279 days in 2019. Notably, however, the more rapidly an organization can detect and contain a breach, the lower the costs will be – on average, if a breach lifecycle was less than 200 days, the associated data breach costs were $1.2 million (37%) less than those of 200 or more days. The increase in lifecycle span may be due to a number of factors – increasingly covert hackers, more insiders being lured into malicious attacks, or the lack of awareness on organizations’ parts as to the full suite of security tools necessary to prevent data breaches, such as user activity monitoring at the application layer and a user behavior analytics platform.
Inadvertent insider threats are still responsible for millions of dollars in breach-related costs every year
Accidental insider threats – human error and system glitches – are responsible for an average of more than three million dollars in lost costs. While malicious attacks are the most expensive root cause, insiders aren’t far behind, causing almost half of the breaches studied. Insiders – those with privileges such as CRM access, login credentials for databases, or even physical access to offices – may be compromised by phishing attacks, lost or stolen devices, malware, and other cybersecurity dangers.
The impact of a data breach depends on the size of your organization
The study found that small businesses encountered significantly larger costs compared to larger companies. The largest organizations (25,000 or more employees) saw an average cost of $204 per employee, while small organizations (500 to 1,000 employees) met with an average cost of $3,533 per employee. With a disproportionately higher cost relative to their size, smaller companies face massive data breach costs, which may impede their ability to recover financially afterward.
Incident response teams lower costs more than any other single security process
The presence of incident response (IR) teams strengthen a company’s ability to respond effectively to data breaches along with other data security and privacy incidents. In fact, of the companies that had IR teams in addition to thorough response plan testing procedures, the average amount saved on data breach costs was more than $1.2 million.
More than any other security process, having an incident response team that performs regular, extensive testing led to the greatest savings. An IR team can conduct thorough response plan testing via tabletop exercises, environmental simulations in a cyber range, vulnerability scanning, and penetration testing, enabling teams to respond faster and even help contain breaches sooner.
Automating security can help reduce costs
When it comes to data security, reducing the need for human intervention makes a significant impact on the expense of a data breach. Automation like machine learning, AI, and trend-based analytics reduce the chance of human error, which accounts for an average of $3.5 million in breach costs. Plus, automation frees up valuable time for employees to focus on other efforts, and the additional insights from analytics highlight areas to improve security.
The study found that among 26 various cost factors examined, there was a subset that aided in the reduction of the cost of a breach, whether they were proactive or reactive. The four factors associated with below-average breach costs are:
- Encryption – extensive use of encryption can protect sensitive data even if it’s accessed by unauthorized parties
- Data loss prevention – security solutions in a multi-layered defense in depth architecture safeguard mission-critical information from being taken out the door
- Threat intelligence sharing – sharing security intelligence among industry peers allows companies to enhance collective defenses against rapidly evolving cybersecurity threats
- DevSecOps – coordinating the functions of development, security, and IT operations to integrate security into the software development process can prevent security gaps
On average, encryption has the greatest impact in reducing the cost of a breach by saving $360,000.
How to enhance your security architecture in a world full of data breaches
The report demonstrates the severity of data breaches, particularly the impact they have financially on organizations in all industries. Given the cost of a data breach, the report offers recommendations for companies that want to reduce their chances of a cyber incident as well as the associated costs:
- Create an incident response (IR) team, develop incident response plans, and routinely test the plans and make improvements.
- Develop extensive compliance, governance, security, and privacy programs for a robust security architecture.
- Invest in technology like user activity monitoring and behavior analytics to protect the sensitive data in your cloud applications and reduce your incident response time. When it comes to data breaches, time is money.
- Maintain customer trust by implementing a culture of privacy throughout your organization. For more on how to create a culture of privacy, download this free e-book. How you treat customers’ privacy can make a significant impact on your turnover rate in the event of a cyber incident.
- Reduce siloed departments across your organization – integrate development, security, and IT operations to avoid disconnect among security solutions or critical cybersecurity gaps.
- Classify and encrypt sensitive data through core security controls. Doing so can also help you meet compliance requirements for data regulations and frameworks like GDPR, CCPA, and ISO 27001.