The cost of data breaches keeps increasing for companies, and new research indicates that the financial impact can continue to sap company coffers for years after the incident occurs. Released this week, the 2019 Cost of a Data Breach Report from Ponemon Institute showed that the average data breach now costs companies $3.92 million globally. This represents a 12% rise in breach costs over the last five years.
Based on a study of incidents at 507 companies, the report indicates that the biggest factors causing these rising costs are the multiyear financial impact of breaches, increased regulation, and the complex process of recovering from criminal attacks.
This is the first year of this long-running report in which the Ponemon authors took a deep dive into the 'long tail' impact of breaches in the years following a major incident, examining data from 86 companies across numerous years. The report showed that about one-third of a breach's total costs are incurred more than a year after the breach incident occurs. Approximately 22% of costs occur in year two, and 11% of costs happen more than two years after the breach.
"The long-tail costs of a breach were higher in the second and third years for organizations in highly regulated environments, such as the healthcare and finance industries," explained the report, stating that 48% of breach costs at highly regulated companies come after year one.
We can witness evidence of this dynamic at play just by looking at recent headlines about Equifax, which two years after its massive breach of 150 million people is now settling with federal and state governments to the tune of $700 million in restitution to consumers. These kinds of long-tail costs are likely to only grow bigger now with the institution of regulatory regimes like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
"In reality, Equifax should consider itself lucky that this breach occurred before data privacy regulations like GDPR and CCPA came into effect. With respect to GDPR, we’re beginning to see massive fines levied against companies like Marriott and British Airways," says Anurag Kahol, CTO of Bitglass. "CCPA, which is set to take effect in January 2020, calls for fines ‘...not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.’ This means that Equifax could have been subjected to fines totaling more than $110 billion had CCPA been in effect at the time of this breach."
The Ponemon study found that the lifecycle of a data breach is also getting longer. Measured as the time between when a data breach incident first occurs and when it is finally contained, that timeframe grew by 4.9% in the past year, from 266 days in 2018 to 279 days in 2019. The bulk of the time in the lifecycle generally unfolds when stealthy attackers are able to operate without detection, with the average time to detection lasting 206 days and the average time to contain the breach lasting 73 days.
The lifecycle measurement is a key metric related to breach costs, as the cost of a breach can be significantly reduced when that lifecycle is driven downward. Breaches with a lifecycle of less than 200 days were 37% less expensive than those of more than 200 days, representing an average savings of $1.22 million.
The study showed that malicious attacks are both the most common and most expensive root causes for breaches, and that expense is likely tied up in how long it takes to identify and contain breaches caused by these attacks. Since 2014 the proportion of breaches caused by malicious attackers jumped up by 21%. In 2019, just over half of breaches are caused by malicious attacks. These types of breaches have a breach lifecycle of 12.5% longer than average, standing at 314 days. As such, they're more costly than other types of breaches, costing $4.45 million on average. That's 27% more than breaches caused by human error and 37% more costly than breaches caused by system glitches.
On average, breach incidents today cost companies $150 per record lost—up from $148 per record last year. Among those factors that could bring those costs down, those with the most dramatic impact were the use of encryption, business continuity, DevSecOps, and threat intelligence sharing.