For the tenth year running, the Ponemon Institute, a data protection and information security research centre based in Michigan, has published its “Cost of Data Breach” 23-page report. This year’s report is packed full of quantative analysis that confirms the overarching cybersecurity trends that breaches are becoming increasingly expensive and an increasing number of customers switch their allegiance to a competitor after a breach. It also highlights that certain anticipatory behaviours can help to reduce the cost – the most significant being having an incident response team in place.
N.B. the Ponemon Institute’s research has greater applicability to small-to-medium sized businesses than to large businesses, given that the study excludes from the data set any organisation which suffers a breach in which more than 100,000 records are compromised.
The key trends and statistics highlighted are as follows:
- Breaches are becoming increasingly expensive:
- Data breaches cost companies an average of $217 per compromised record. This constitutes the highest average since Ponemon began tracking;
- Of this $217:
- $143 relates to indirect costs such as loss of customers;
- $74 relates to direct costs such as: investments in new detection technologies and legal fees;
- Sectors that collect and retain personal data of a more sensitive nature, on average, face significantly higher per record costs:
- Health: $398
- Pharmaceutical: $298
- Financial: $259
- The average organisational cost of a data breach is $6.53 million (this figure marks a rise from last year, however, the record high was set in 2011, when the average organisational cost was $7.24 million);
- Unfortunately the worst is not over, as post-breach costs also increased from $1.60 million in 2014 to $1.64 million. After notification, these costs typically include: help desk activities, legal expenditures, product discounts, identity protection services and regulatory interventions.
- The cost of notifying those affected is an immediate and significant cost that has increased from an average of $0.51 million in 2014 to $0.56 million. These costs typically include: the creation of contact databases, the determination of all regulatory requirements, the engagement of outside experts and the costs inherent in communicating the news to your customers;
- An increasing number of customers switch their allegiance to a competitor after a breach:
- Notification and post-breach costs only just top $2 million on average; therefore the majority of the cost is indirect;
- Lost business costs, such as increased customer acquisition activities, reputational losses and diminished goodwill, grew from $3.32 million in 2014 to $3.72 million (though the record high was set in 2009 at £4.59 million);
- “Abnormal churn” (defined in the study as “a greater than expected loss of customers in the normal course of business”) increased by 3 percent;
- The data reveals that certain industries are even more prone to large percentages of abnormal churn (presumably because they are sectors in which customers put a premium on trust):
- Financial: 7.1%
- Health: 6.0%
- Technology: 5.4%.
- However, anticipatory behaviours can alleviate the cost:
- The survey highlights the net benefit of certain anticipatory behaviours which include (in order of effectiveness): having an incident response team, extensive use of encryption, having a CISO, employee training, board-level involvement and insurance protection.
- Having an incident response team in place prior to a breach can decrease the average cost of a breach from $217 to $193.2 per compromised record;
- Alleviating the cost of a breach does not have to be expensive either. By combining the proactive steps of board-level involvement and employee training, the cost of a breach can be reduced by $20.8 per compromised record, with a relatively modest investment.
- In contrast, some responses can be counter-productive. For example, rushing to notify will increase the cost of a breach from $217 to $229.7 per compromised record.