In communicating with the business and the board about the consequences of data breaches, IT is always going to be asked to place dollar figures, which can be difficult to do, even with increasing access to predictive analytics and historical data from any previous breaches in the organization. One of the most extensive benchmark studies that IT can use to help with this is the Ponemon Institute’s annual “Cost of Data Breach Study: Global Analysis.” In its 10th year, and sponsored by IBM, the recently released 2015 edition covers 11 countries, 350 companies, and detailed data about direct and indirect costs of data breaches.
Three major reasons are contributing to a rapid increase in the average cost of a data breach and the average cost per breached record – this last varying by industry – according to Chairman and Founder Dr. Larry Ponemon:
“First, cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."
Overall, the average cost per lost or stolen record was found to be $154; within the health care industry, that average could be as high as $363. In education, the average reached $300. The lowest industry averages: transportation, at $121, and public sector, at $68. The report also breaks down averages among the 11 countries surveyed; you can select country-specific data upon downloading the free report.
How can these costs be mitigated? Key takeaways involve the board of directors and purchasing data breach insurance products. Ponemon figures that a board active in breach risk management can reduce costs by $5.50 per record, and insurance can make a reduction of $4.40 per record possible. And business continuity management during remediation produces very good results: reducing the cost per record by $7.10.
The damage to customer relationships and lost business after a breach are on the rise: Ponemon put this cost area at $1.23 million per breach in 2013 and $1.57 million for 2015. Direct notification costs were about the only area where a decrease was found, but the numbers are already quite small, relatively, averaging $170,000 this year, down from $190,000 last year.
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+