As if it’s not bad enough that security breaches are constantly in the news and the sophistication of attacks is growing, the cost of intrusions continues to rise. Perhaps the only positive to draw from that development is that it increases the argument for more stringent security programs.
The 2016 Cost of Data Breach Study: Global Analysis Benchmark research conducted by Ponemon Institute shows that the average total cost of a data breach for the 383 companies in 12 countries participating in the research increased to $4 million from $3.79 million in the previous year.
The average cost paid for each lost or stolen record containing sensitive and confidential information rose from $154 in 2015 to $158 in this year’s study, says Ponemon, a research think tank dedicated to advancing privacy and data protection practices.
In addition to cost data, the global study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. The researchers estimate a 26% probability of a material data breach involving 10,000 lost or stolen records.
According to this year’s research findings, organizations in Brazil and South Africa are most likely to have a material data breach involving 10,000 or more records. In contrast, organizations in Germany and Australia are least likely to experience a material data breach.
All participating organizations experienced a data breach ranging from about 3,000 to slightly more than 101,500 compromised records. Ponemon Institute defines a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.
Data breaches cost the most in the U.S. and Germany and the lowest in Brazil and India. The average per capita cost of a data breach was $221 in the U.S. and $213 in Germany. The lowest cost was in Brazil ($100) and India ($61). The average total organizational cost in the U.S. was $7 million and in Germany $5 million. The lowest organizational cost was in India ($1.6 million) and South Africa ($1.87 million).
The more records lost, the higher the cost of the data breach. In this year’s study, the cost ranged from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 lost or stolen records.
The cost of data breaches varies by industry, the report says. While the average global cost of data breach per lost or stolen record was $158, healthcare organizations had an average cost of $355 and educational institutions had an average cost of $246. Transportation ($129), research ($112) and public sector ($80) had the lowest average cost per lost or stolen record.
Hackers and criminal insiders caused the most data breaches, according to the report. About half (48%) of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $170. In contrast, system glitches cost $138 per record and human error or negligence cost $133 per record. Organizations in the U.S. and Canada spent the most to resolve a malicious or criminal attack ($236 and $230 per record, respectively).
The existence of incident response teams and the extensive use of encryption by organizations decreased the cost of data breach. An incident response team reduced the cost of breach by $16 per record, from $158 to $142.
Over the years that Ponemon Institute has been studying the data breach experiences of more than 2,000 organizations, the research has revealed seven megatrends, according to Larry Ponemon, chairman and founder of the institute:
- Data breaches are now a consistent cost of doing business in the cybercrime era.
- The biggest financial consequence to organizations that experienced a data breach is lost business.
- Most data breaches continue to be caused by criminal and malicious attacks.
- Organizations recognize that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve.
- Highly regulated industries such as health care and financial services have the most costly data breaches because of fines and the higher-than-average rate of lost business and customers.
- Improvements in data governance initiatives will reduce the cost of data breach.
- Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches.
These are valuable insights for any organization looking to reduce the likelihood of attacks—and the cost of those incidents.