Average cost of a data breach exceeds $3.8 million, claims report | Cyber Security

Data breaches are getting more expensive.

That’s one of the findings of a new global study by the Ponemon Institute that examines the financial impact of a corporate data breach.

So what is the actual cost of a data breach? Well, obviously it varies depending on the nature of the organisation that has lost control of its data, the nature of data that has been breached and the severity of the attack.

But the Ponemon Institute’s “2018 Cost of a Data Breach Study” has found that the average cost of a data breach globally is a not-to-be-sneezed-at US $3.86 million – a rise of 6.4% from last year’s equivalent report.

These average costs for a data breach do not apply to huge incidents like those weathered by Equifax, as they are thankfully not the type of breach experienced by most organisations. However, the study did not shy away from also considering these larger, more catastrophic incidents of data loss.

If your organisation did fall foul of what the study calls a “mega breach”, ranging from 1 million to 50 million lost records, the costs are said to average between $40 million and $350 million, respectively.

The Ponemon Institute study interviewed nearly 500 companies that had suffered a data breach, analysing the many different costs including incident investigation, recovery, legal and regulatory activity, reputational damage and lost business through customer turnover.

And it’s that last cost – lost business – that is particularly significant in “mega breaches” that involve the loss of more than one million records. According to the study, one-third of the cost of “mega breaches” can be placed at the door of lost business.

Of course there are all manner of factors that can be brought into play to reduce the cost to organisations that have been breached. One key consideration is how long it takes a business to identify and contain an incident. In short, the longer it takes to discover that you have been breached and fix the problem, the more it’s going to cost you.

The Ponemon Institute study reports that the mean time to identify a data breach is 197 days (or around 6.5 months), and the average time it takes to contain a breach is 69 days. Unfortunately, seemingly due to an increase in the severity of attacks, both of these figures have risen in the last year.

So, if a typical smaller scale data breach takes a total of 266 days (over 8.5 months) to detect and contain, how long does it take on average to handle a “mega breach”?

Again, the news is not good. According to the report, a mega breach takes 365 days on average to detect and contain. Yes, a year.

This is a trend that that everyone clearly wants to see turned around. And the research offers financial encouragement for businesses to dramatically reduce the figures as it claims that companies that manage to contain a breach in less than 30 days save over US $1 million compared to those organisations that do not. The figure is likely to be even more significant for “mega breaches.”

Clearly, more needs to be done to stop data breaches happening the first place and reduce the chances of a successful attack. Security systems can be automated, replacing or assisting human operators in the detection of a breach in the first place, and it’s important to ensure that defences are kept up-to-date. In addition, the existence of incident response teams that can put plans into action when a breach is uncovered could dramatically increase the chances of an attack being contained rapidly.

Ultimately, your organisation doesn’t want to suffer a data breach. Data breaches are costly and could severely impact your company’s ability to continue to do business long-term if customers are lost. If your IT team is not being properly resourced by your managers, it’s time to make the business case to explain why not investing in security could result in a catastrophic data breach.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.