It’s always exciting to announce the results of our annual Cost of a Data Breach Report, and this year, the 14th report conducted by the Ponemon Institute, the 2019 Cost of a Data Breach Report offers new and innovative ways to analyze the financial impacts, root causes and mitigating factors of data breaches on a global scale.

Download the Cost of a Data Breach Report

In this year’s report, we studied the costs associated with breaches that occurred between July 2018 and April 2019 at 507 organizations in 16 countries and regions and across 17 industry sectors. The global average cost of a data breach for the 2019 study is $3.92 million, a 1.5 percent increase from the 2018 study. As shown in the following chart, the average total cost of a data breach climbed from $3.5 million in 2014, showing a growth of 12 percent between 2014 and 2019.

Cost of a Data Breach Highlights

Some of the other key findings from the 2019 Cost of a Data Breach Report are consistent with past years of the study. Just as it was last year, the most expensive country in terms of average total cost of a data breach is the U.S. at $8.19 million, more than twice the global average. Healthcare was again the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million.

Yet we also found characteristics of data breaches in the study showing how difficult it is for organizations to recover from breaches. This year, we found that the time it takes organizations to identify and contain a breach — what we call the data breach life cycle — is 279 days. The 2019 life cycle is 4.9 percent longer than the 266 day average in 2018. In addition, we found that the longer a breach’s life cycle is, the greater the total cost. This is especially true in the case of malicious and criminal attacks, which take an average of 314 days to identify and contain.

As we found in our research, malicious and criminal attacks are the leading root cause of data breaches in 2019 at 51 percent. The other two categories of root causes are system glitches — breaches caused by technology failures not attributable to a human, such as a vulnerability — and human error — breaches caused by neglect or error by a person. System glitches cause 25 percent of data breaches in 2019, and human error is the root cause of 24 percent of breaches. While much attention in the security world is placed on malicious attacks, it’s worth noting that breaches caused by system glitches and human error can have consequences that are just as serious.

However, as mentioned, breaches attributed to malicious attacks do tend to take longer to identify and contain, potentially making them more costly than other breaches. Our research found that the cost of a breach with a life cycle of more than 200 days is $1.2 million higher than a breach with a life cycle of less than 200 days.

Top Cost Mitigating Factors: Incident Response Teams, Plans and Encryption

Our research has traditionally looked at factors that either increase or decrease the cost of a data breach. In this year’s report, we added some new cost factors into the mix to flesh out more findings about what areas businesses could look at to mitigate the financial impacts of a data breach.

This year, we examined the impact of testing an incident response plan, which we found to be one of the most effective factors for mitigating data breach costs, reducing the average total cost of a breach by $320,000 compared to the mean total cost of a data breach ($3.92 million). The top cost-mitigating factor out of the 26 cost factors included in our analysis is the formation of an incident response team, which reduced the average total cost of a data breach by $360,000. Extensive use of encryption was also found to reduce the total cost of a data breach by $360,000.

Several other cost-mitigating factors worth noting are business continuity management, a DevSecOps approach, artificial intelligence (AI) platforms and good, old-fashioned employee education.

On the other side of the ledger, we found that the involvement of a third-party partner tends to increase the total cost of a data breach by about $370,000. Other factors found to increase the average total cost of a data breach include compliance failures, extensive cloud migration, operational technology (OT) infrastructure and system complexity.

The Long-Tail Costs of a Data Breach

We frequently examine in our reports the year-over-year comparisons of cost trends, but our research methodology generally does not study the same organizations year after year. This year, for the first time, we examined breach costs over several years at 86 organizations. Our findings revealed that data breach costs have a long tail: Although the majority of breach costs occur in the first year after a data breach, about one-third of costs are incurred more than a year after a breach.

Even more striking is the comparison between the long-tail cost of a breach at organizations in highly regulated environments — those in the healthcare, financial and energy industries — with those in environments with lower levels of regulation. Data breach costs are much less concentrated in the first year for organizations in those highly regulated industries, with 47 percent of breach costs occurring more than a year after the data breach incident.

We believe one factor contributing to the longer tail in those highly regulated industries is legal and regulatory costs, such as class action lawsuits and regulatory fines, that come well after a data breach occurs. Healthcare and financial services, both highly regulated industries, are also more impacted by lost business than other industries, which could be a factor in data breach costs extending long after a breach incident. Healthcare organizations in this year’s study had an abnormal customer turnover of 7 percent, and financial services had abnormal customer turnover of 5.9 percent versus an average customer turnover of 3.9 percent. Lost business is the biggest contributor to data breach costs, accounting for 36 percent of the average total cost.

Complete Findings From the 2019 Cost of a Data Breach Report

There are so many more illuminating ways to look at the cost of a data breach, and the 2019 Cost of a Data Breach Report offers much more than I can cover in single blog post. For example, the report goes into great detail about the regional and industry differences in total cost, customer turnover, data breach size and data breach life cycle. Plus, we looked in greater depth at the impacts of an effective incident response strategy. We also examined the cost impacts of security automation using technologies such as AI, machine learning, analytics and automated post-breach orchestration. These are topics worthy of further investigation, and we will continue to come back for more in the next Cost of a Data Breach Report.

In the meantime, I encourage you to sign up to access the full report and the data breach cost calculator, which you can toggle to drill down into the data by country, industry and cost factor.

See the 2020 Cost of a Data Breach report and calculator

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today