2018 Cost of a Data Breach Study
In June of this year, the Ponemon Institute published its annual Cost of a Data Breach Study, sponsored by IBM Security. In piecing together this year’s report, the Ponemon Institute conducted over 2,200 interviews with representatives of 477 companies that had experienced a data breach in the past 12 months. This figure is up significantly on the 419 companies surveyed last year.
After three years of increasing costs, 2017 saw an overall reduction in the average and total costs of a breach. 2018, unfortunately, saw a return to rising costs.
Here are some of the headline figures:
- Average total cost of a data breach $3.86million (up from $3.62million in 2017)
- Average cost per lost or stolen record $148 (up from $141 in 2017)
- Average number of records compromised in 2018 up 2.2% on 2017
Worryingly, the survey also points to an increasing likelihood of a recurring material breach over the coming two years. All this despite the sharp focus on data protection that the GDPR and other emerging legislation has brought.
This year’s report includes an analysis of the impact of the increasing use of IoT devices on the cost of a breach. The cost of a breach by companies that have embraced the IoT was slightly higher than average; with the average cost per record increasing by $5. Of course, for larger breaches, this can add a significant premium.
Talking of larger breaches, the report dedicates a section to what it calls “mega breaches”, where over 1 million records were compromised. In these instances, the average cost per breach is an eyewatering $40million.
It should come as no surprise that those organisations who are quick to identify and resolve a breach suffer significantly less financial damage. The average time taken to identify a breach last year was 197 days, with an average of 69 days taken post-identification to contain the breach. Companies who could effectively contain the breach within 30 days saw the average cost per breach come down from $4.25million to $3.09million.
When it comes to calculating the costs of a breach, the report considers four key factors: detection, response, notification and consequence (lost business). The last of these is, perhaps, the most difficult to quantify as it includes not only the impact of business disruption, but the longer-term impact of a loss of trust or reputation.
Under new legislation, such as the GDPR in the EU or Notifiable Breach Regulations in Australia, businesses are compelled to notify those affected by a qualifying breach. Given the costs associated with notification, it would seem sensible to do everything possible to prevent a qualifying breach. The question is, with breaches seemingly inevitable, how can you avoid additional notification and response costs?
One answer is encryption. Under the GDPR regulations, if your data is protected by strong and effective encryption security, any breach does not necessarily qualify as notifiable. If you would like to find out more about network data encryption, contact us at any time.