The 2015 Cost of Data Breach analysis by Ponemon Institute

A joint report analysing the cost of data breaches has been released by IBM and Ponemon Institute. Having surveyed 350 companies globally, they’ve found that the average cost of a data breach is increasing, having gone from $3.52m in 2014 to $3.79m in 2015. The cost per breached record has also increased, from $145 to $154. Since 2013, the average cost of a breach has risen 23%.

Other key findings of this study show the reasons for an increased cost for data breaches this year. The main three are:

• Cyber attacks having become more frequent and the costs of remediating the consequences have also increased.
• The lost business resulting from a data breach has also increased, representing the damage to company reputation which customers are increasingly aware of thanks to a number of high-profile breaches.
• Costs of breach detection and escalation have also increased, from an average of $.76m in 2014 to $.99m in 2015.

This year, 47% of all breaches were found to be the result of a malicious or criminal attack, up from 42% in 2014. Those caused by human error accounted for a far lower 25%. Considering that a number of other studies have found users to be the main cause of breaches, this shift might actually be a welcome one. If more breaches are being caused by attacks, then this might indicate that less are being caused by users. Perhaps the increased media coverage surrounding cyber security and data breaches might be having a positive effect in this sense? However, breaches caused by malicious attacks also proved to be more expensive than those caused by human error, with an average cost per record of $170, opposed to $117.

Using the data collected about the breaches studied in the report, the researchers put together a graph which shows the likelihood of a breach occurring, broken down by volume of records. So while the probability of a breach of 10,000 records occurring is 25%, the chance of a breach of 100,000 or more records occurring is less than 1%.

Their findings also allowed them to assess companies based on the country in which they are based, with Brazil and France coming out as most likely to suffer a breach of more than 10,000 records while Canada and Germany were the least likely. Their study did represent only 11 countries but among these were other major Western countries including the UK and the US. They also found that all companies were more likely to suffer a breach of 10,000 records or less rather than a ‘mega breach’ of around 100,000 records or more.

In addition to breaking the data down by country, the report also examines the differences between the different industries. While the average cost per record this year is $154, if the breach occurs in the healthcare industry the cost per record could be as high as $363. The second highest came from the education sector, where the average was $300. The lowest cost per record was in the public sector, at only $68 per record.

The report also examines cost in comparison to the number of records breached, in which there is a clear correlation: the more records breached, the higher the cost. The breaches studies ranged from a total cost of $116,995 to $28,290,631. They’ve also broken down the costs into four main areas, ‘Detection and escalation’, ‘Notification’, ‘Ex-post response’ and ‘Lost business’, with lost business always proving the greatest expense, increasing year on year of the study.

What’s helpful about this report is that it studies factors that affected the financial consequences of a data breach, including executive involvement and the purchase of cyber insurance. This might help to guide other businesses in how to mitigate costs should a data breach occur. The top factors to decrease the cost of a breach include employing an incident response team, extensive use of encryption, employee training, business continuity management, CISO leadership, board-level involvement and insurance protection. Factors which actually serve to increase the costs include involving a third party, hiring consultants, rushing to notify clients and lost or stolen devices being a cause of the breach. The graph below shows the average financial impact for each of these points.

A final fact to take away is that the longer it takes to detect a breach, the greater the cost. So the overall message is to detect quickly, take all of the highlighted cost-reduction responses but of course, try to avoid a breach occurring in the first place!