Fewer (but bigger) breaches in 2016, as average breach cost falls to $3.6m



The cost to firms of a data breach is high – $3.6 million on average – but that’s down from last year, a study by IBM and The Ponemon Institute finds.

The popular story about the U.S. economy is that it is highly efficient and friendly to businesses, with fewer regulations making the cost of starting and running a business much lower than across The Pond in countries like the UK, France or Germany.

While that may be true in many areas, it looks as if it isn’t the case when it comes to data breaches, where per-incident costs plummeted in the last year in the EU, while US firms saw costs rise.

This new data comes from the 2017 Cost of Data Breach Study by The Ponemon Institute. The research, sponsored by IBM, has tracked the cost of data breach incidents in recent years by surveying companies in the North America, Europe, and Asia. The most recent study, released on Tuesday, found that the cost of breaches declined modestly between fiscal year 2016 and fiscal year 2017 (the subject of the latest report). However, the report also showed an increase in the size of data breaches, as well as stark differences in cost based on geography that are puzzling.

First the good news: the average cost to companies that experienced a data breach was less this year than last. On average, surveyed companies paid $4 million per incident last year compared to $3.6 million in FY 17. That’s lower, in fact, than the average for 2015, as well, when companies paid $3.79 million per incident on average.

Dig down into the numbers, however, and the picture isn’t quite as rosy. The cost of breaches in the United States was well above average at $7.35 million. In contrast, Brazilian and Indian organizations had the lowest total average cost at $1.52 million and $1.68 million, respectively.

Also, when Ponemon looked at the factors that affect the cost of breach, it turns out that many organizations in many regions are continuing to struggle with the effects of data breaches on their business. Of the four metrics that Ponemon uses to measure data breaches – customer churn, the number of records lost, the average total cost of the breach and the per capita cost – more regions saw increases in those measures than decreases.

In fact, of the 13 countries and regions surveyed, only three were able to improve all four cost measures and show a percentage net change decrease in FY 2017. Those countries were Australia, Germany and the UK. In contrast: Brazil, India, Italy, Japan, the Middle East and South Africa all experienced percentage net increases in all four cost measures.

There were also large and somewhat puzzling differences in the cost of data breaches depending on where in the world they happened. Ponemon data showed significant decreases in average total cost in Germany (-.91), France (-.68), Australia (-.48) and the UK (-.45). But comparatively large increases in average total cost in the Middle East (+.83), the United States (+.66) and Japan (+.52).

The reasons for these regional discrepancies are complex but boil down to factors that are well known to any business person: direct and indirect costs. Data breaches are, after all, just adverse business events – like Winter storms - that organizations are forced by circumstance to contend with. In doing so, they incur all manner of direct and indirect costs, from hiring forensic investigators to figure out what happened, to notifying regulators and customers of the incident, to making customers whole and dealing with lost business as a result of the incident.

All told, the average direct costs of dealing with breaches – like hiring law firms and forensic investigators and notifying customers – were highest for organizations in the Middle East and Canada. But on particular measures, like notifying customers or hiring forensic investigators, U.S. firms faced higher costs. U.S. companies also had the highest overall indirect costs from breaches, including paying for employees’ time and effort to notify victims and investigate the breach. And while “churn” (or customer loss) for U.S. firms was about average compared to other countries and regions following an incident, it was far more expensive for U.S. firms to lose customers and good will than for companies in other countries and regions.

The other message of the data breach report that can get lost in the numbers is about how endemic these incidents are. Ponemon surveyed 419 companies in 13 countries or regions. Every single one had experienced a breach in the preceding fiscal year, ranging from a few thousand compromised records to “slightly less than 100,000.” That statistic, more than any other, speaks to the difficult reality for online organizations today.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.