What can a U.S. company expect to pay if breached today? According to the recently released IBM/Ponemon Institute report 2016 Cost of a Data Breach Study, the average cost of a breach for U.S. organizations rose to $7 million. That’s an increase of 23% since 2013.
For the past 11 years, the Ponemon Institute has reported on the cost incurred by businesses, providing a window into the evolving cyberattack landscape. For the current report, respondents included 64 companies — from a variety of industries — that had actually been breached and were required to notify their clients and employees of the breach. Most of the breach incidents occurred in 2015, with a few recorded in 2016. Ponemon also conducted a separate global study that examined breaches in 12 countries.
The findings support what many organizations already know: The price tag for a breach is at an all-time high. The average cost for a breached record rose to $221 from $217, broken into $76 for direct costs — such as IT investment and hiring legal teams and forensic experts — and $145 for indirect costs — for example, customer churn, notification activities and in-house investigations. And cleaning-up after a breach can carry a hefty fee. In the aftermath of a 2015 breach, a U.S. healthcare insurance providerquickly ran through its $100 million cyberinsurance policy when notifying its 80 million previous and current customers.
Unsurprisingly, half of all the recorded breaches were the result of malicious or bad actor attacks, costing companies $236 per record, or $15 dollars above the average breach. Careless staff (23%) and problems with IT and business systems (27%) made up the remainder, averaging costs per record of $197 and $213, respectively.
The number of customer records companies hold was strongly linked to overall financial impact. For breaches resulting in less than 10,000 lost records, the average overall cost was $4.9 million. The price tag jumped to $13.1 for companies with loses of at least 50,000 records.
Spending on detection and escalation activities — forensics, audit services, crisis management and executive communications — captured $120,000 more of overall costs compared to last year, suggesting that companies are recognizing the value of post-breach services.
Results showed that companies not only experienced customer churn following a breach but had their bottom lines significantly impacted as a result. When customer loss was less than 1%, an average cost of $5.4 million was recorded. Losses jumped to an average cost of $12.1 million for companies suffering churn of 4% or greater.
The more time bad actors were able to spend roaming through a company’s network also increased the outlay.Ponemon reports that when a breach was identified within 100 days, costs were kept to $5.83 million on average. In contrast, when a breach went undetected for 100 days or more, average costs jumped to $8.01 million.
Preparing for the inevitable
Executives have a choice in how their bottom line is impacted when a breach strikes. As outlined in the report AT&T Cybersecurity Insights, a practiced and up-to-date incident response plan will help a company react quickly and limit damage. Prior planning in conjunction with strong detection and prevention tools are key to reducing potentially debilitating effects to the financial and reputational health of organizations.
Carin Hughes is an editor of the AT&T Cybersecurity Insights report.