Costs associated with a data breach have surged this year to $3.92 million, according to IBM’s latest Cost of a Data Breach study. And more than a third of it stems from lost business.
The study, conducted by the Ponemon Institute, shows loss of customer trust is starting to substantially impact businesses, leading to serious financial consequences. Lost business ($1.42 million) is now the largest of four major cost categories contributing to the total cost of a data breach, followed by detection & escalation ($1.22 million), post-breach cost ($1.07 million), and notification ($0.21 million).
Lost business has remained the highest cost component for five years straight, according to the study.
“Whereas organizations that lost less than one percent of their customers due to a data breach experienced an average total cost of $2.8 million, organizations with customer turnover of 4 percent or more averaged a total cost of $5.7 million – 45 percent greater than the average total cost of a data breach,” the report reads.
The odds of suffering a data breach are increasing, according to the research, and small businesses face higher costs, relative to their size, than larger organizations. The lifecycle of a security incident is also getting longer.
In 2019, the average time to identify a breach is 206 days, while it takes an average of 73 days to contain. This means organizations suffering a breach are impacted for a total of 279 days by the incident. The figure represents a 4.9 percent increase over the 2018 breach lifecycle of 266 days, according to the report.
While malicious attacks are the most common and expensive root cause of breaches, security incidents from system glitches and human error still cost millions.
Data breach costs impact organization for years. After discovering the breach, an organization will incur 67 percent of the costs in the first year, then 22 percent in the second year, and 11 percent thereafter. If the 2017 Equifax incident is any indication, those costs can still reach crippling proportions two or even three years down the line. In fact, the study stops short of analyzing massive breaches like the Equifax one. The reason? The average cost of a data breach does not apply to “catastrophic mega data breaches,” as the authors put it.
It’s not all bad news, though. The same research found that encryption, business continuity management, DevSecOps and threat intelligence sharing are starting to emerge as efficient cost mitigators. Furthermore, Ponemon Institute’s survey shows respondents with an incident response team and extensive testing of their response plans stand to save over $1.2 million. Automation of security further reduces costs. In fact, organizations with no security automation suffer breach costs 95 percent higher than breaches at organizations with fully-deployed automation ($5.16 million versus $2.65 million).