The average cost of a data breach has risen 12% over the past five years to US$3.92 million, according to IBM’s 2019 Cost of a Data Breach study, which drew on input from more than 500 companies around the world that suffered a breach over the past year.
The rising financial impact was attributed to a trio of factors – the multi-year financial fallout from breaches, increased regulation, and the complexity of resolving criminal attacks.
The report comes at a time when several companies are facing the prospects of hefty bills for massive cyber-incidents. This includes Equifax in the United States and British Airways and Marriot Starwood in the United Kingdom.
For the first time this year, the study from IBM Security and Ponemon Institute also looked at the 'long tail' financial impacts of breaches. It found that while the compromised firm typically bears the financial brunt of the incident within the first year after it occurs, by no means is it ‘out of the woods’ so soon.
“While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals,” reads the press release.
Among other findings, the report highlighted that in a number of ‘scenarios’ the financial consequences can climb even higher.
First, the incidents tend to be costlier for firms that suffered breaches at the hands of malicious actors, as opposed to incidents caused by human or system errors. Malicious breaches didn’t only account for more than one-half of the incidents under review, but they also cost an extra US$1 million than the inadvertent breaches (US$4.45 million versus US$3.5 million).
In addition, for firms based in the US, the average cost of a breach climbed all the way to US$8.19 million, having risen by 130% over the past 14 years.
Typically, breaches weigh particularly heavily on healthcare organizations, which recorded the highest cost of (US$6.5 million) and topped the list for the ninth year in a row.
Regardless of the industry, however, a data breach can be downright devastating for a small and even mid-sized business. The study found that companies with fewer than 500 employees suffered losses of more than US$2.5 million on average. To put that into perspective, small businesses typically earn $50 million or less in annual revenue.
The average life cycle of a breach was 279 days. More precisely, on average it took companies 206 days to spot and another 73 days to contain the incident. When it comes to only malicious breaches, it took even longer – 314 days.
“Companies in the study who were able to detect and contain a breach in less than 200 days spent US$1.2 million less on the total cost of a breach,” according to the report. It outlined a slew of more factors that influenced the financial fallout, including the number of data records lost, whether the breach originated from a third party, and whether the company made extensive use of encryption.
In her excellent article last year, ESET security researcher Lysa Myers outlined how preparing for the worst can actually help firms avoid falling victim to such incidents in the first place.