A new IBM Security study finds that hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage.
Sponsored by IBM Security and conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study Data collection began February 2017 and interviews were completed in April 2018. The report found that the average cost of a data breach in South Africa is R36.5 million, increasing from R32 million in the 2017 report.
The average number of breached records found in the 2018 study was 21,090 – representing a 6.31% increase in the size of the average data breach.
Based on in-depth interviews with 20 companies that experienced a data breach, the study analysed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.
“While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS).
“The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”
What impacts the average cost of a data breach?
For the past three years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study.
The average cost of a data breach was R36.5 million in the 2018 study, compared to R32 million in 2017 – representing a 12.2% increase from the prior year. In 2016, the average cost of a data breach was R28.6 million.
The study also examined factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.
- The average time to identify a data breach in the study was 150 days, and the average time to contain a data breach once identified was 40 days.
- The three root causes of data breaches were identified as malicious or criminal attack (45%), human error (30%) and system glitches (25%)
- On average, malicious or criminal attacks took 163 days to identify and 45 days to contain. Human error breaches took 139 days to identify and 33 days to contain.
- Detection and escalation costs also increased, rising from R9.5 million in 2016, to R11.6 million in 2017 and R12.3 million in the 2018 study.
The amount of lost or stolen records also impacts the cost of a breach, costing R1,792 per lost or stolen record on average – a 9.35% increase from 2017.
The study examined several factors which increase or decrease this cost:
- The extensive use of encryption;
- Board-level involvement in data breaches;
- The use of an AI platform for cybersecurity reduced the cost.
Calculating the cost of a mega breach
Globally, the study also calculated the costs associated ‘mega breaches’ ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million respectively.
In the past five years, the amount of mega breaches (breaches of more than 1 million records) has nearly doubled – from just nine mega breaches in 2013, to 16 mega breaches in 2017.
Based on analysis of 11 companies experiencing a mega breach over the past two years, this year’s report uses statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records. Key findings include:
- Average cost of a data breach of 1 million compromised records is nearly $40 million dollars globally;
- At 50 million records, estimated total cost of a breach is $350 million dollars;
- The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error);
- The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).