IBM and Ponemon Institute have release the 2016 Cost of Data Breach Study: Global Analysis. According to the research, the average total cost of a data breach for the 383 companies participating in this research increased from $3.79 to $4 million.
The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year’s study. In addition to cost data, the global study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. It is estimated a 26% probability of a material data breach involving 10,000 lost or stolen records.
According to this year’s findings, organizations in Brazil and South Africa are most likely to have a material data breach involving 10,000 or more records. In contrast, organizations in Germany and Australia are least likely to experience a material data breach.
In this year’s study, 383 companies located in the following 12 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia), Canada and, for the first time, South Africa. All participating organizations experienced a data breach ranging from approximately 3,000 to slightly more than 101,500 compromised records.
We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.
Seven global megatrends in the cost of data breach research
Over the many years studying the data breach experience of 2,013 organizations in every industry, the research has revealed the following seven megatrends.
- Since first conducting this research, the cost of a data breach has not fluctuated significantly. This suggests that it is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.
- The biggest financial consequence to organizations that experienced a data breach is lost business. Following a data breach, organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.
- Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain. As a result, they have the highest cost per record.
- Organizations recognise that the longer it takes to detect and contain a data breach the more costly it becomes to resolve. Over the years, detection and escalation costs in our research have increased. This suggests investments are being made in technologies and in-house expertise to reduce the time to detect and contain.
- Regulated industries, such as healthcare and financial services, have the most costly data breaches because of fines and the higher than average rate of lost business and customers.
- Improvements in data governance programs will reduce the cost of data breach. Incident response plans, appointment of a CISO, employee training and awareness programs and a business continuity management strategy continue to result in cost savings.
- Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. This year’s study revealed a reduction in the cost when companies participated in threat sharing and deployed data loss prevention technologies.
The following are the most salient findings and implications for organizations:
Data breaches cost the most in the US and Germany and the lowest in Brazil and India. The average per capita cost of data breach was $221 in the US and $213 in Germany. The lowest cost was in Brazil ($100) and India ($61). The average total organizational cost in the US was $7.01 million and in Germany $5.01 million. The lowest organizational cost was in India ($1.6 million) and South Africa ($1.87 million).
The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record was $158. However, healthcare organizations had an average cost of $355 and in education the average cost was $246. Transportation ($129), research ($112) and public sector ($80) had the lowest average cost per lost or stolen record.
Hackers and criminal insiders caused the most data breaches. 48% of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $170. In contrast, system glitches cost $138 per record and human error or negligence was $133 per record. Companies in the US and Canada spent the most to resolve a malicious or criminal attack ($236 and $230 per record, respectively). India spent far less ($76 per record).
Malicious or criminal attacks vary significantly by country. 60% of all breaches in the Arabian Cluster and 54% of all breaches in Canada were due to hackers and criminal insiders. Only 37% of all data breaches occurring in South Africa were due to malicious attacks. Instead, South African companies had the highest percentage of human error data breaches and Indian organization were most likely to experience a data breach caused by a system glitch or business process failure (37% and 35%, respectively).
Incident response teams and extensive use of encryption decreased the cost of data breach. An incident response team reduced the cost of data breach by $16 per record, from $158 to $142. In contrast, data breaches caused by third party involvement resulted in an increase of $14, from $158 to $172 per record.
Measures reveal why the cost of data breach increased. The average total cost of a data breach increased 5.4% and the per capita or record cost increased 2.9%. The average size of the data breach (number of records lost or stolen) increased 3.2%. Abnormal churn grew 2.9%, which is defined as the greater than expected loss of customers in the normal course of business.
Download the REPORT HERE