Cost of a data breach findingsThe Ponemon Institute has produced an annual cost of a data breach study.  This is the 14th year.  We have used it as a guide for a lot of information over the years.  The data has consistently been helpful for us to understand what are the key drivers in data breach costs, remediation, and response.  If you can find what the major factors include, it is a great way to determine your priorities in investing resources with the biggest impact.  Let’s see what we learned from the 2019 version sponsored by IBM.

Cost of a Data Breach 2019 Study is out

This year they added some more data to the data breach report.  There is a lot of information that has been compiled in 14 years so they are seeing the long term costs of data breaches.  They point out it is the “long tail” costs.  A lot of people don’t understand this goes on for years and the costs continue to add up over time.  They also added some other data about the security environments involved in these breaches.

For the first time, this year’s report details the “long tail” of a data breach, demonstrating that the costs of a data breach will be felt for years after the incident. The report also examines new organizational and security characteristics that impact the cost of a data breach, including: the complexity of security environments; operational technology (OT) environments; extensive testing of incident response plans; and the process of closely coordinating development, security, and IT operations functions (DevSecOps).

One very important thing to note in this report.  They do not include mega breaches in the averages calculated.  They consider mega breaches to be those with 1 million or more compromised records.  So the numbers we will review do NOT include those huge breaches.  These all apply to breaches with less than 1 million records.  It reduces the chance of misstating the actual values due to massive breaches like maybe Equifax.  Note, those went up significantly as well.  Those costs went up 8% to $42m.  If it is over 50 million that average is $388m increase of 11%.

What is the biggest contributor to the cost of a data breach?

Loss of customer trust and by extension lost business is the largest category out of the four they track.  We have always encouraged people to look at the costs of the fall out after a data breach before the costs associated with preventing them.  They lay it out clearly in this year’s report.  There are serious consequences when you have negative news coverage.  The lost business and trust issues account for 36% of the total costs.  That is brought about by 3.9% average abnormal customer turnover.  That is customers you had but lost.  It is very hard to quantify the new customers you would have gotten but never did because of all of the reputational damage.  But as in many cases, healthcare leads the numbers with a 7% turnover rate.

“Customers seem to be more willing to take their business elsewhere in highly regulated industries, such as healthcare and financial services.”

They include the costs for things like cost of business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers  (customer turnover), reputation losses and diminished goodwill to get these numbers.

When we talk to physicians we point out that your referrals may drop.  Not because the other physicians are feeling bad for you.  It is because they want to stay out of the line of fire and avoid any questions about their security or your data breach.  What would you do?  If there is a large breach with any group that you do refer patients to regularly you better devise a plan for dealing with patient questions.

Organizations worldwide continue to lose customers as a result of their data breaches. However, organizations with a senior-level leader, such as a chief privacy officer or chief information security officer, directing initiatives to help improve customer trust in the guardianship of their personal information, may see lower turnover and, therefore, reduce the cost of the breach. Organizations that offer data breach victims identity protection in the aftermath are also more successful in reducing customer turnover.

How long is that “long tail” cost thing?

That long tail is a really long tail.  We have discussed it each time there is a settlement just how long they went from discovery date to final settlements.  Years and years is what you should expect even if you are NOT in a regulated industry like financials and healthcare.  The average case sees 67% of the overall costs in the first year.  The second year is 22% and 11% happens in the following years.  But, regulated industries have a significant amount of the total in the following years.  First is 53%, 32% and more than two years is 16%.  That is those regulatory fines and investigations kicking in.

The thing they also noticed when tracking this long tail concept is the life cycle of the data breach is getting longer itself.  The time frames went up significantly in all areas of dealing with the data breach.

Discovery and containment time increased from 266 days in 2018 to 279.  That is a significant increase in one year.  It also points out the less time it takes the cheaper the costs will be.  That makes sense but the fact that over 200 days total containment time is 37% more expensive that over 200 days.  That is a big difference.  It is also an indication that everyone points out over and over.  Have a response plan so that you know what to do when it happens.  Without a response plan, you really do pay a lot more.

Smaller is not better.

“Small businesses face disproportionately larger costs relative to larger organizations.”
More than 25,000 employees in an organization is considered the largest.  The average total cost is $5.11m making the cost per employee is $204 for a data breach.  Between 500 and 1,000 the average cost per employee is $3,533 with an average total being $2.65m.  Less than 500 employees average $5480 per person at the 500 mark.  It goes up dramatically as it goes up dramatically when the average for that size is $2.74m.

This makes it clear that the costs are less in total but obviously a much bigger impact on the business as a whole.  Your costs are so much higher it leads to more losses to the overall organization and their ability to fully recover.

Total cost of breaches in the US and Healthcare

As they put it, “continuing a multi-year trend” the US has an average total cost of $8.19m which is more than double that of the global average.  Over the years of the study, the US average has increased by 130%.

And the big winner…..  

For the 9th year in a row, the healthcare industry had the highest costs associated with data breaches at $6.45m.  That is huge when the global average for all industries is $3.92m that makes healthcare costs 60% more than the average.

With an average number of records in a single breach of 32,434, it isn’t getting better there either.  We need to find better ways to purge data.  Software vendors – this is on you.  No matter what industry there needs to be less data hoarding going.  Capital One is catching flack right now for keeping records of credit applications going back to 2013.

Healthcare’s average costs per record are $429 in the US.  The lowest US industry per record is Public organizations at $78.  The next one after that is $117.  Don’t want to consider these numbers because you think they are inaccurate?  Go with $78 or $117.

It isn’t getting better any time soon.

The likelihood of experiencing a breach within the next two years has gone up dramatically as well.  That means that since 2014 the chances of having a breach in the next 2 years has grown nearly 30%.

Major cost increase factors (amplifiers)

The review looked at 26 cost factors. The top factors were third-party involvement, compliance failures, extensive cloud migration, system complexity, and operational technology.

If a third party caused the data breach, the cost increased by more than $370,000, for an adjusted average total cost of $4.29 million. Organizations undergoing a major cloud migration at the time of the breach saw a cost increase of $300,000, for an adjusted average cost of $4.22 million. System complexity increased the cost of a breach by $290,000, for an average cost of $4.21 million.

Lack of security automation almost doubles the cost.  They are 95% more expensive, in fact.  Security automation includes high-end things like AI, analytics and machine learning tools.  They help you see what is happening quicker than having to manually find it.  Someone has to be looking.

The top 6 cost amplifiers are:

  1. 3rd party – $14.04
  2. Compliance failures – $13.47
  3. Extensive cloud migration during breach – $11.39
  4. System complexity – $10.96
  5. OT Infrastructure – $10.09
  6. Extensive use of mobile platforms – $9.33

That accounts for $69.28 increase per record.

Major cost decrease factors (mitigators)

The real message here is to do your housekeeping and you save a ton of money.  Of the major causes of data breaches, 49% is due to “system glitches” and human error.  Malicious attacks keep growing in number but even those would be mitigated with proper technical housekeeping and workforce training.

cost of a data breach 2019

Source: Cost of a data breach study 2019 IBM and Ponemon Institute

Top 6 mitigators are:

  1. Forming an IR team  – $13.66
  2. Extensive use of encryption – $13.59
  3. Extensive testing of the IR plan – $12.25
  4. BCM – $10.56
  5. DevSecOps approach – $10.55
  6. Employee training – $10.31

For a potential of $70.92 total savings per record.

No matter how you slice it these things are not getting cheaper unless you are prepared to handle them.  There isn’t much that can be done if you aren’t aware of the risks and planning a response to deal with them when the inevitable happens.

We have been monitoring these numbers for the entire time we have been doing this show and even before.  People can interpret them in any way they want.  They can even ignore them if they want.  It is their business decision.  Of course, several people turned down the offer back in 1979 when Bill Gates was asking $40-to-$60 million for Microsoft.  Ross Perot among others thought it was too expensive to take him up on the offer.  He held on for a few more years and well…