Is Your Team Prepared to Respond to an Attack at a Moment’s Notice?
Download the Incident Responder's Field Guide now
- How to build and support your incident response team
- How to create and deploy an incident classification framework
- The most common mistakes and how to avoid them
The answer ultimately depends on the country and industry but in general, can span anywhere from $1.25 million to $8.19 million.
It's difficult to get a proper grip on cybersecurity by the numbers, especially when every other day brings news of a new breach, many which see millions upon millions of records exposed.
The latest number - one that's a safe bet to change in a few months from now, if not sooner - is $3.9 million.
That’s the average cost of a data breach currently, a figure that’s up 1.5 percent from the year prior and factors into a 12 percent increase over the past five years.
The statistic, per IBM and the Ponemon Institute's annual "Cost of a Data Breach" report, will likely be one of the most cited, the rest of the year, across the cybersecurity landscape, when it comes to putting a price tag on the costs associated with a breach.
The report, which clocks in at 77 pages this year, aggregates costs reported by 507 organizations, from 17 industries, from 16 regions: United States, India, the United Kingdom, Germany, Brazil, Japan, France, the Middle East, Canada, Italy, South Korea, Australia, Turkey, ASEAN, South Africa, and, Scandinavia. Through interviews with 3,211 individuals, IBM and Ponemon collected data points regarding the number of customer records lost or stolen in breaches, how the company responded to the breach, and how their business fared after the breach. The report, released last week, is in its 14th year.
According to the report, data breaches cost companies surveyed in the report $150 per record. Perhaps unsurprisingly, that number is up over last year's figures, which put the average cost of each record at $148, up from $141 in 2017.
Can Factors Detract From the Cost of a Data Breach?
The report thoroughly breaks down every angle of a data breach and at one point, digs into how having mitigations in place, like an incident response team or encryption, can reduce the cost of a breach. According to IBM/Ponemon, by having both in place a company could potentially reduce the cost of a breach by $720,000.
According to the report, companies that had security automation technologies deployed experienced around half the cost of a breach ($2.65 million on average) compared to those that did not have these technologies deployed ($5.16 million average). Specifically, companies that have an incident response team and build on that team by performing periodic incident response plan testing proved beneficial too; companies that do both could save $1.23 million per data breach on average, according to the report.
The U.S. Is #1
It's important to note that these numbers are an average and not the norm in the United States, the most expensive country in which to experience a data breach.
In the U.S. a data breach costs a company on average $8.19 million, an increase from $7.91 million in 2018, and more than twice the global average. The cost per breached record, $242, is steeper too.
Where the U.S. wasn't tops, was the average number of records per breach. According to the report, orgs in both the Middle East and India (38,800 and 35,636) had more records exposed per breach than the U.S.
Healthcare Breach Woes
The healthcare industry has proven time and time again to be a susceptible target for attackers when it comes to cyberattacks and this report's numbers surely complement that concept. According to the report, healthcare breaches cost organizations $6.45 million per breach, a number that eclipses all other sectors and makes it the ninth year in a row that healthcare orgs have had the highest costs associated with a data breach.
The average cost for per breached healthcare record ($429) is more than double any other industry too and substantially higher than the average, $150, according to the report.
Unfortunately, according to IBM and Ponemon's statistics, healthcare breaches can often take the longest to identify, up to 236 days; they take the longest, tied with attacks on the public infrastructure, to remedy as well.
The healthcare industry (followed by the financial and pharmaceuticals industries) had the biggest difficulty retaining customers following a breach. On average, the abormal customer turnover is 3.9 percent; for health companies, it was 7.0 percent.