In 2018, IBM and the Ponemon Institute have once again been investigating how costly data breaches can become for companies – and now, for the first time, they have also taken “mega breaches” into consideration.
The average cost of a data breach amounts to 3.86 million US dollars this year according to a recent press release, which represents a rise of 6.4 percent compared to the previous year. For the very first time, IBM and Ponemon now also attach a virtual price tag to “mega breaches”, which are defined as data losses of a magnitude of 1 to 50 million data sets. For each such case, the actual costs incurred were between 40 million and 350 million dollars, the statement goes on to say (the 40 million is based on real data breaches, whereas the 350 million is based on projections).
IBM and Ponemon reveal that the number of “mega breaches” has just about doubled between since 2013, when nine were detected, to sixteen in 2017. Of the eleven cases in the past two years which were investigated in more depth, the vast majority – ten out of eleven – were caused by malicious and criminal attacks (as opposed to system failures or human error). On average, almost 365 days passed before a “mega breach” was detected, almost a hundred more than with smaller breaches (266 days).
The largest single cost factor in “mega breaches” was lost business, valued by IBM as costing 118 million dollars for every 50 million lost data sets. For cases which were made public, the declared damage was mostly significantly lower – presumably mostly because such reports are usually confined to direct costs and fail to take into account “softer” factors, which are more troublesome to quantify.
“The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs,” Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS), is quoted as saying. “Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”
From a regional perspective, the study reveals that data losses are most expensive in the USA and in the Middle East, while they are “cheapest” in Brazil and India. Concerning the sectors of impacted companies, healthcare heads up the field for the eighth year in a row, with each lost or stolen data set costing 408 dollars, almost three times as much as the average across all sectors (148 dollars).
The entire 47-page study report can be downloaded from the IBM website upon registration. At the web address https://costofadatabreach.mybluemix.net you can moreover find an accompanying cost calculator, including a digital infographic with highlights of the survey outcomes.