Ponemon Institute – Cost of data breach reaches record levels

Pierluigi Paganini May 28, 2015

The Ponemon Institute’s 2015 Global Cost of Data Breach Study reveals that the average cost of a data breach has reached record levels.

Every year, I propose you the findings of the report published by the Ponemon Institute related the evolution of the cost of a data breach, a very interesting study that provides an economic approach to the concept of “data breach”, which is essential every time you will have to speak about cyber security to the company executives. This year the researchers at the Ponemon Institute have analyzed results of 350 companies in 11 countries, every company surveyed had suffered a breach over the past year.

According to the report just released by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, which represents a maximum value that is up 12 percent from last year ($145).

As already observed in the previous editions of the study, data breach costs varied dramatically by geography and by industry, the US had the highest per-record cost ($217), followed by Germany ($211).

ponemon institute cost data breach 2015

The health care industry suffered the highest costs that were estimated at an average of $363 per record, a data that doesn’t surprise the experts due to the higher value of medical records respect credit card data.

ponemon institute cost data breach 2015 2

A set of complete health insurance credentials sold for $20 on the underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell.

Caleb Barlow, vice president at IBM Security, explained that data in a medical record have a much longer shelf life than that of a credit card number.

“With credit cards, the time frame from the breach to mitigation is very short,” Barlow explained. “But the health care record can be used to establish access in perpetuity,” “it can be used to establish credit or steal your identity ten or fifteen years from now,” he added. “Once this information is out there, you can’t get the genie back in the bottle.”

Another alarming result of the Ponemon report is the average total cost of a single data breach which it jumped $3.79 million thus registering an increase of 23 percent.

The analysis of the cost of a data breach reveals that “Loss of business” was a significant part of the total cost of a data breach.

The study analyzed also other factors that could influence the cost of a data breach, such as the availability of an incident response team that could help to promptly mitigate the incident and reduce per-record cost by $12.60. Other factors are the adoption of encryption mechanisms (cost reduction by $12), employee training (cost reduction by $8) and CISO leadership (cost reduction by $5.60).

“Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach,” said Barlow. “This is really compelling. We have tangible evidence that those who were doing that had a much lower costs. You don’t have days to respond — you don’t even have hours. You have minutes to get your act together.”

On the other side, factors that increased costs was the involvement of a third party in the cause of a breach ($16 per record), the outsourcing ($4.50 per record) and the loss or theft of company devices ($9 per record).

ponemon institute cost data breach 2015 3

The cost of a data breach increases with the time necessary to mitigate the incident, on average, it took respondents 256 days to spot a breach caused by a threat actor  and 82 days to contain it.

Below there are the key findings of the Ponemon report:

  • Board level involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, we looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.50 per record. Insurance protection reduces the cost by $4.40 per record.
  • Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having a business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.10 per compromised record.
  • The most costly breaches continue to occur in the US and Germany at $217 and $211 per compromised record, respectively. India and Brazil still have the least expensive breaches at $56 and $78, respectively.
  • The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach, the average cost could be as high as $363, and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68).
  • Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $137 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).
  • Notification costs remain low, but the costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.23 million in 2013 to $1.57 million in 2015. Notification costs decreased from $190,000 to$170,000 since last year.
  • Time to identify and contain a data breach affects the cost. For the first time, our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. As discussed earlier, malicious or criminal attacks are the most costly data breaches.

Enjoy the report, it is full of interesting data.

Pierluigi Paganini

(Security Affairs –  Cost of data breach, cyber security)


you might also like

leave a comment