What Are the Costs of a Data Breach?

The ninth annual Cost of Data Breach Study: Global Study, released by IBM and the Ponemon Institute, estimates that the average total cost of a data breach for the companies participating in the study increased 15% to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145 in this year’s study. Three-hundred and fourteen companies representing 10 countries, including the United States, participated in the research.

The report defines a data breach as an event in which an individual’s name plus a medical record and/or a financial record or debit card is potentially put at risk—either in electronic or paper format. In this study, they identified three main causes of a data breach, including a malicious or criminal attack, system glitch, or human error. The costs of a data breach can vary according to the cause and the safeguards in place at the time of the data breach.

Forty-two percent of incidents involved a malicious or criminal attack, 30% concerned a negligent employee or contractor (human factor), and 29% involved system glitches that includes both IT and business process failures.

The consolidated average per capita cost of data breach (compiled for 10 countries and converted to U.S. dollars) differs widely among the countries in the research; in the U.S., the cost of a malicious or criminal data breach incident was $246 per compromised record.

Will your organization have a data breach?As part of understanding the potential risk to an organization’s sensitive and confidential information, the study extrapolated a subjective probability distribution for the entire sample of participating companies on the likelihood of a material data breach happening over the next two years. The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22%.

The research determined that the following factors decreased and increased the cost of a data breach: Having a strong security posture, incident response plan and CISO appointment reduced the cost per record by $14.14, $12.77 and $6.59, respectively. Factors that increased the cost were those that were caused by lost or stolen devices (+ $16.10), third-party involvement in the breach (+ $14.80), quick notification (+ $10.45), and engagement of consultants (+ $2.10).

According to the report, companies need to improve their strategic approach to threats, including developing strategies to protect online presence, information assets, and infrastructure.

If you have any questions about the research or want to learn more about how you can help protect your company from off-network data breach threats, contact us.