The typical consumer data breach costs compromised businesses millions of dollars, with expenses rising exponentially for incidents on par with those that affected Equifax or Facebook in recent years, according to new research from IBM Security and Ponemon Institute.
On a global scale, the average data breach exposes 25,575 sensitive consumer records and carries a total cost of $3.92 million, according to IBM’s 2019 “Cost of a Data Breach” report. Breaches are even more expensive for U.S.-based firms, which face an average cost of $8.19 million per cyberattack. For so-called “mega breaches” of more than 50 million records, such as Facebook’s Cambridge Analytics scandal, average costs rose to $388 million in 2019.
While the financial impact of a data breach can linger for years in the form of lawsuits, regulatory action and lost customers, a fast, well-implemented response to a crisis can cut costs and limit the fallout, according to Chris Scott, the global remediation lead for IBM’s X-Force Incident Response and Intelligence Services. The average response time to identify and contain a breach was 279 days, but companies that shortened their response window to under 200 days saved an average of more than $1 million.
“If the first time you use that instant response plan, you’re just wiping the dust off the paper and you haven’t [trained on] it and you’re in the middle of a crisis, when the cortisol hits the brain, you’re not going to remember how to respond because you haven’t trained on it,” Scott told FOX Business.
While data breaches have become a regular occurrence in the business world, major cyberattacks affecting top firms such as Equifax and Facebook have generated unprecedented, ongoing regulatory scrutiny.
Equifax, the credit monitoring service, agreed this week to pay as much as $700 million to reimburse consumers affected by a data breach that exposed the personal records of nearly 147 million people. Facebook is set to pay a $5 billion fine to the Federal Trade Commission to settle a probe into its data privacy practices in the wake of the Cambridge Analytics scandal, which exposed sensitive information for up to 87 million users.
Breaches of that size are a rarity, with just 14 companies experiencing a “mega-breach” of 1 million or more records lost, according to IBM’s report.
Aside from a dedicated cybersecurity staff with a response plan in place, companies can turn to automation tools, such as artificial intelligence and machine learning, to aid their efforts to defend against cyberattacks, Scott said. State-sponsored cyberattacks are particularly difficult to rebuff.
“The thing we always have to remember is that there’s a creative human on the other side of that computer who is doing their best [to breach systems], especially from a nation-state perspective,” Scott said. “It’s that person’s job to take information, whether that’s intellectual property or [personally identifiable information], they get paid to steal information. We have to be able to support our creative humans on the defending side to work through that progress.”
IBM and Ponemon Institute based their findings on interviews with executives from more than 500 companies worldwide who experienced a data breach from July 2018 to April 2019. The average cost estimates the impact of hundreds of factors, including breach-related litigation, reputational damage, loss of customers and regulatory action, such as fines.
For U.S.-based firms, costs associated with data breaches are significantly higher due to the impact of lost business, such as brand damage, system downtime and customer loss. Those costs amounted to more than $4 million of the $8.19 million price tag.
Even the cost of notifying customers about a breach, in the form of paper, envelopes and postage, can have a crushing impact on a small business, Scott noted. About 67 percent of costs are incurred in the first year after a breach, with another third coming in the following two years.
The healthcare sector experienced the most costly breaches by industry, with an average expense of $6.45 million per incident.