Light Dark
May 28, 2015 By David Puzas 3 min read
CISO
Data Protection

Data breaches continue to make headlines. They aren’t going away, and more importantly, the cost of a data breach is soaring for enterprises. However, if boards of directors and top executives are actively involved in risk management and security, they can significantly reduce costs related to a data breach.

That’s one of the top findings of the “2015 Cost of Data Breach Study: Global Analysis,” a benchmark research report sponsored by IBM and independently conducted by the Ponemon Institute. The study provides insights and trends that CISOs can marshal as they communicate with their C-suite colleagues and boards of directors. Already tasked with protecting companies from a multitude of ever-changing threats, CISOs can now show key stakeholders the specific economic costs of a security breach and the actions that will safeguard the enterprise and provide savings.

**Updated** Download the Ponemon Institute 2016 Global Cost of a Data Breach Study

Ponemon’s 2015 Cost of Data Breach Study at a Glance

This year’s report reveals that the cost of a data breach rose by more than 16 percent from 2014. Lost business represents the most expensive data breach cost and has steadily increased over the past three years. These expenses include the abnormal turnover of customers, increased customer acquisition activities, reputation damage and diminished goodwill. The costs associated with breach response and detection have also increased and typically cover aspects such as remediation, legal expenditures and regulatory interventions.

Here are some other fast facts from the 2015 Cost of Data Breach Study:

  • The institute surveyed 350 companies in 11 countries.
  • The average total cost of a data breach reached $3.79 million.
  • There was a 16.3 percent increase in the total cost of a data breach.
  • The average cost per lost or stolen record is $154.
  • There was a 6 percent increase in cost per lost or stolen record.

What Factors Into the Cost?

For the first time, the Ponemon Institute examined two factors that affected the financial consequences of a data breach. The first is executive involvement in an organization’s IT security strategy and response to data breaches. Research revealed the positive consequences that result when boards of directors take a more active role in risk management and data breach prevention. Such involvement reduces the cost by $5.50 per record. The benefit of participation was underscored by respondents: 79 percent of C-level U.S. and U.K. executives surveyed say executive-level involvement is necessary for achieving an effective incident response to a data breach, and 70 percent believed board-level oversight is critical.

This has critical implications. Data security and the protection of corporate “crown jewels” need to be discussion topics at board meetings and a priority for company officers such as the general counsel, CIO and CTO. It’s equally important that a designated board committee make risk management and security a regular agenda item. A third party with global experience in enterprise security who can serve as a trusted adviser to the board should be retained. Most importantly, the board needs to identify gaps in the company’s security and address these deficiencies.

The second factor is cyber insurance, which can mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered a purely technological issue to a larger business risk. This shift has spurred increased interest in cyber insurance, which reduces the cost by $4.40 per record. Though such insurance should be considered as a last line of defense, if a policy is properly tailored, it can serve as part of an enterprise’s integrated approach to risk management, which should include rigorous security controls, operations and technology for addressing cybersecurity.

According to the report, other factors that can lower the cost of a data breach include establishing an incident response team, the extensive use of encryption, employee training, business continuity management, CISO leadership, insurance protection and consulting services. The Ponemon study also shows the relationship between how quickly an organization can identify and contain data breach incidents, thereby limiting the financial consequences. Malicious attacks can take an average of 256 days, while data breaches caused by human error takes an average of 158 days.

Knowledge Is Power

This report is critical reading for anyone who wants a worldwide perspective on the security threats behind data breaches and the role management can play to contain them. IBM has created a number of resources for you to learn more about and share this report.

The Ponemon study is further evidence of the need for rigorous security policies and management systems — programs that proactively protect all parts of the organization including users, data, applications and infrastructure. To do it right, CISOs, executives and boards of directors need to focus on four key concepts: optimizing security programs, stopping advanced threats, protecting critical assets, and safeguarding cloud and mobile environments.

Read the latest global cost of a data breach study and country-specific reports

 |  |  |  |  | 
David Puzas
Director, Security Services, IBM

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature