Businesses run on risk: They take a chance, place their bets in the marketplace and often reap great rewards. But when thinking about the cost of a data breach, you may wonder about the price for your company and what, exactly, is at stake.

Here’s one way to think about it: You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD). And as in the case of the flu, it’s crucial to act quickly and seek a cure for a speedy recovery. Since data breaches cost money, it’s best to take a cost-based approach to gain an accurate perspective of the problem at hand.

Sponsored by IBM Security and independently conducted by my team at the Ponemon Institute, the 13th-annual Cost of Data Breach Study includes two new factors in its analysis that influence data-breach costs: deployment of artificial intelligence (AI) and the extensive use of Internet of Things (IoT) devices.

The analysis also includes the cost of a so-called mega breach — an incident resulting in the loss of 1 million records or more — and the financial consequences of customers losing trust in your organization.

Download the latest Cost of a Data Breach Report from the Ponemon Institute

The Global Cost of a Data Breach Is Up in 2018

In this year’s study, the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach. Overall, we found that the total cost, per-capita cost and average size of a data breach (by number of records lost or stolen) have all increased year over year.

Locations that experienced the most expensive data breaches include the U.S., where notification costs are nearly five times the global average, and the Middle East, which suffered the highest proportion of malicious or criminal attacks — the most expensive type of breach to identify and address. Data breaches are less expensive in Brazil and India, where detection, escalation and notification costs rank the lowest.

While the cost of a breach increased for organizations in 13 countries compared to the five-year average, it decreased in Brazil and Japan, according to this year’s report.

Based on industry and location, our data breach calculator can determine how much a security incident might cost an organization.

The Bigger the Breach, the Higher the Cost

This year’s report found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

But what about those massive breaches that grab national headlines? The study revealed that a mega breach (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grows. A breach involving 50 million records, for example, would result in a total cost of $350.44 million.

How Can Companies Reduce Data Breach Costs?

Among the 477 companies examined for the study, the mean time to identify a breach is still substantial (197 days), while the mean time to contain a breach is 69 days.

The good news: There are strategies to help businesses lower the potential cost of a data breach. For the fourth year running, the study found a correlation between how quickly an organization identifies and contains a breach and the total cost.

Preparation and vigilance pays: The study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148. Similarly, extensive use of encryption can cut the cost by $13 per capita.

 

Customer Trust Impacts the Total Cost of a Breach

Organizations around the world lost customers due to data breaches in the past year. However, businesses that worked to improve customer trust reduced the number of lost customers — thereby reducing the cost of a breach. When they deployed a senior-level leader, such as a chief privacy officer (CPO) or chief information security officer (CISO), to direct customer trust initiatives, businesses lost fewer customers and, again, minimized the financial consequences of a breach.

Additionally, organizations that offered data-breach victims identity protection kept more customers than those that did not. Companies that lost less than 1 percent of existing customers incurred an average total cost of $2.8 million — while companies that experienced a churn rate of greater than 4 percent lost $6 million on average.

Examining the Effects of AI and IoT Adoption

For the first time, this year’s study examined the effects of organizations adopting AI as part of their security automation strategy and the extensive use of IoT devices. AI security platforms save companies money — an average of $8 per compromised record — and use machine learning, analytics and orchestration to help human responders identify and contain breaches. However, only 15 percent of companies surveyed said they had fully deployed AI. Meanwhile, businesses that use IoT devices extensively pay $5 more per compromised record on average.

To get the full rundown of the potential costs associated with a data breach — and learn what you can do to help protect your business — download the 2018 Cost of Data Breach Study: Global Overview, and take a look at our accompanying infographic.

You can also use our data breach calculator to explore the industry, location and cost factors if you experience a security incident.

See the latest findings from the 2019 Cost of a Data Breach Report

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today