CAMBRIDGE, Mass.—A new report indicates the cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average.
According to the report from IBM Security, these rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.
The financial consequences of a data breach can be particularly acute for small and midsize businesses. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average.
‘First Time’ Measurements
“For the first time this year, the report also examined the longtail financial impact of a data breach, finding that the effects of a data breach are felt for years,” IBM Security said. “While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The longtail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.”
‘Big Money’
"Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses," said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. "With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs."
Sponsored by IBM Security and conducted by the Ponemon Institute, the annual Cost of a Data Breach Report is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.
The Primary Findings
Some of the top findings from this year's report include:
- Malicious Breaches – Most Common, Most Expensive: Over 50% of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.
- "Mega Breaches" Lead to Mega Losses: While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million.
- Practice Makes Perfect: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
- Cost of U.S. Breaches Doubles: The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
- Healthcare Breaches Cost the Most: For the ninth year in a row, healthcare organizations had the highest cost of a breach – nearly $6.5 million on average (over 60% more than other industries in the study).