Falling victim to a data breach is not getting any cheaper.
A new report issued by the Ponemon Institute and sponsored by IBM revealed that the cost of data breaches is trending upward. In an examination of breaches at 350 companies spread across 11 countries, the report found the average loss incurred for each lost or stolen record rose from $145 to $154.
Overall, the average total cost of the breaches – most of which occurred in 2014 – included in the report was roughly $3.8 million. Healthcare companies fared the worst, with the average cost per stolen record reaching high as $363, while retailers saw their average cost per record jump from $105 in last year’s study to $165 in this year’s.
“In healthcare the cost of detection was high because many of these organizations were ill-prepared, both with the tools and expertise, to understand the root cause of the breach,” explained Larry Ponemon, chairman and founder of the Ponemon Institute. “Post data breach costs were high because of regulatory disclosure requirements as mandated by HHS [U.S. Department of Health and Human Services] and OCR [Office for Civil Rights]. Healthcare organizations are also being targeted by malicious and criminal attacks because of the value of the information and knowledge that security is often not the best in these organizations.”
Breaches were the most expensive in the U.S. and Germany, where the average cost of each compromised record was $217 and $211, respectively. India had the lowest cost per compromised record, coming in at $56.
Many of these breaches can be traced to hackers. Some 47 percent of all the breaches in the study were caused by malicious or criminal attacks. The average cost per record to resolve these attacks was $170 globally, and $230 in the United States. System glitches cost $142 per record, while human error or negligence cost $137 per record.
While notification costs remain low, the costs associated with lost business in the wake of a breach actually increased from $1.23 million in 2013 to $1.57 million in the new report. According to the study, the time to identify and contain a breach was critical to keeping costs low. In the sample of 350 companies, the mean time to identify a breach was 206 days, with a range of between 20 and 582 days being reported. The mean time to contain a breach was 69 days.
“Organizations that involved their business continuity management [BCM] personnel in the data breach incident response process experienced a lower per capita cost and lower total average cost,” according to the research. “[The report] shows more than a $14 difference between the BCM and non-BCM groups in the data breach cost for one compromised record. A separate report, 2015 Cost of Data Beach Study: Impact of Business Continuity Management, focuses on the impact business continuity management has on the financial and reputational consequences of a data breach.”
Other factors that lowered the cost included having an incident response team, the use of encryption and employee training. Board-level involvement in security and the purchase of insurance were top factors as well.
“The growing sophistication and collaboration of cybercriminals ties directly with the historic costs we’re seeing for data breaches,” said Marc van Zadelhoff, vice president of strategy at IBM Security, in a statement. “The industry needs to organize at the same level as hackers to help defend themselves from these continuing attacks. The use of advanced analytics, sharing threat intelligence data and collaborating across the industry will help to even the playing field against attackers while helping mitigate the cost to commerce and society.”