May 28, 2015 By David Puzas 3 min read

Data breaches continue to make headlines. They aren’t going away, and more importantly, the cost of a data breach is soaring for enterprises. However, if boards of directors and top executives are actively involved in risk management and security, they can significantly reduce costs related to a data breach.

That’s one of the top findings of the “2015 Cost of Data Breach Study: Global Analysis,” a benchmark research report sponsored by IBM and independently conducted by the Ponemon Institute. The study provides insights and trends that CISOs can marshal as they communicate with their C-suite colleagues and boards of directors. Already tasked with protecting companies from a multitude of ever-changing threats, CISOs can now show key stakeholders the specific economic costs of a security breach and the actions that will safeguard the enterprise and provide savings.

**Updated** Download the Ponemon Institute 2016 Global Cost of a Data Breach Study

Ponemon’s 2015 Cost of Data Breach Study at a Glance

This year’s report reveals that the cost of a data breach rose by more than 16 percent from 2014. Lost business represents the most expensive data breach cost and has steadily increased over the past three years. These expenses include the abnormal turnover of customers, increased customer acquisition activities, reputation damage and diminished goodwill. The costs associated with breach response and detection have also increased and typically cover aspects such as remediation, legal expenditures and regulatory interventions.

Here are some other fast facts from the 2015 Cost of Data Breach Study:

  • The institute surveyed 350 companies in 11 countries.
  • The average total cost of a data breach reached $3.79 million.
  • There was a 16.3 percent increase in the total cost of a data breach.
  • The average cost per lost or stolen record is $154.
  • There was a 6 percent increase in cost per lost or stolen record.

What Factors Into the Cost?

For the first time, the Ponemon Institute examined two factors that affected the financial consequences of a data breach. The first is executive involvement in an organization’s IT security strategy and response to data breaches. Research revealed the positive consequences that result when boards of directors take a more active role in risk management and data breach prevention. Such involvement reduces the cost by $5.50 per record. The benefit of participation was underscored by respondents: 79 percent of C-level U.S. and U.K. executives surveyed say executive-level involvement is necessary for achieving an effective incident response to a data breach, and 70 percent believed board-level oversight is critical.

This has critical implications. Data security and the protection of corporate “crown jewels” need to be discussion topics at board meetings and a priority for company officers such as the general counsel, CIO and CTO. It’s equally important that a designated board committee make risk management and security a regular agenda item. A third party with global experience in enterprise security who can serve as a trusted adviser to the board should be retained. Most importantly, the board needs to identify gaps in the company’s security and address these deficiencies.

The second factor is cyber insurance, which can mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered a purely technological issue to a larger business risk. This shift has spurred increased interest in cyber insurance, which reduces the cost by $4.40 per record. Though such insurance should be considered as a last line of defense, if a policy is properly tailored, it can serve as part of an enterprise’s integrated approach to risk management, which should include rigorous security controls, operations and technology for addressing cybersecurity.

According to the report, other factors that can lower the cost of a data breach include establishing an incident response team, the extensive use of encryption, employee training, business continuity management, CISO leadership, insurance protection and consulting services. The Ponemon study also shows the relationship between how quickly an organization can identify and contain data breach incidents, thereby limiting the financial consequences. Malicious attacks can take an average of 256 days, while data breaches caused by human error takes an average of 158 days.

Knowledge Is Power

This report is critical reading for anyone who wants a worldwide perspective on the security threats behind data breaches and the role management can play to contain them. IBM has created a number of resources for you to learn more about and share this report.

The Ponemon study is further evidence of the need for rigorous security policies and management systems — programs that proactively protect all parts of the organization including users, data, applications and infrastructure. To do it right, CISOs, executives and boards of directors need to focus on four key concepts: optimizing security programs, stopping advanced threats, protecting critical assets, and safeguarding cloud and mobile environments.

Read the latest global cost of a data breach study and country-specific reports

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today