IBM Study: Hidden Costs of Data Breaches Increase Expenses for Businesses

by | Jul 12, 2018

Security, Cybersecurity trends

India: 11 July 2018: IBM Security today announced the results of a global study examining the full financial impact of a data breach on a company’s bottom line. Sponsored by IBM Security and conducted by Ponemon Institute, the study found that the average cost of a data breach in India is estimated at ₹ 119 million, a 7.9% increase from the 2017 report. Based on in-depth interviews with nearly 500 companies globally that experienced a data breach, the study analyzes hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

Vikas Arora, Chief Transformation Officer, IBM India/South Asia

Vikas Arora, Chief Transformation Officer, IBM India/South Asia

“The threat scenario shows a significant rise in both number and sophistication of breaches in this year’s report, which is alarming as it continues to rise in India” said Vikas Arora, Chief Transformation Officer, IBM India/South Asia. “Companies in India need to fortify their security strategy to leverage a secure Cloud environment and build a strong AI strategy. They need to identify the many hidden expenses which must be considered, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

India findings

  • An estimated per capita cost per lost or stolen record reported was ₹ 4,552, a 7.8% increase from the 2017 report
  • Malicious or criminal attacks were the root cause for 42% of data breaches
  • The mean time to identify the data breach increased from 170 to 188 days
  • The mean time to contain the data breach increased from 72 to 78 days

Overall, the study found that hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage. For example, the study found that one-third of the cost of “mega breaches” (over 1 million lost records) were derived from lost business.

This year for the first time, the study also calculated the costs associated “mega breaches” ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million respectively.

Hidden Figures – Calculating the Cost of a Mega Breach

In the past five years, the amount of mega breaches (breaches of more than 1 million records) has nearly doubled – from just nine mega breaches in 2013, to 16 mega breaches in 2017.Source: IBM analysis of Privacy Rights Clearinghouse’s Chronology of Data Breaches Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records.

Based on analysis of 11 companies experiencing a mega breach over the past two years, this year’s report uses statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records.  Key findings include:

  • Average cost of a data breach of 1 million compromised records is nearly $40 million dollars
  • At 50 million records, estimated total cost of a breach is $350 million dollars
  • The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error).
  • The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size. IBM analyzed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study.

Equifax data breach reported to cost company $275 million; Target 2016 financial report estimated $292 million loss as a result of 2013 data breach; Ruby Corp (the parent company of Ashley Madison) reportedly paid $11.2 million for the settlement of its 2015 breach. This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers.

What Impacts the Average Cost of a Data Breach?

For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study.  The average cost of a data breach was $3.86 million in the 2018 study, compared to $3.50 million in 2014 – representing nearly 10 percent net increase over the past 5 years of the study.

This year for the first time, the report examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation.)

Regional and Industry Differences

The study also compared the cost of data breaches in different industries and regions, finding that data breaches are the costliest in the U.S. and the Middle East, and least costly in Brazil and India.

  • U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by the Middle East at $5.31 million.
  • Lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.

“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs.”

Download Full Reports & Register for the Webinar
To download the 2018 Cost of a Data Breach Study: Global Overview, visit
https://www.ibm.com/security/data-breach/

To view the digital infographic with study highlights, visit: https://costofadatabreach.mybluemix.net

To explore and interact with findings from the study, visit the IBM Security Data Breach Calculator, an interactive tool that allows you to manipulate report data and visualize the cost of a data breach across locations and industries, and understand how different factors affect breach costs.

About IBM Security
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force® research, enables organizations to effectively manage risk and defend against emerging threats. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 35 billion security events per day in more than 130 countries, and has been granted more than 8,000 security patents worldwide.

 

 

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles