Author: David Bisson / Source: The State of Security
Data breaches remain a constant concern among boards and executives. Part of the reasoning behind this anxiety is the cost of responding to a data breach. Most years, not only does the per capita cost of a record compromised in a breach go up – so, too, does the total organizational cost.
For 12 years, Ponemon Institute and IBM Security have been tracking the financial burden of a data breach. They found that per capita and organizational costs of a data breach reached all-time highs in their newest research. Additionally, they identified multiple factors, four of which are new, that influence the cost of a security incident.
These are just some of the trends discussed by Ponemon and IBM in their 2017 Cost of a Data Breach Study. Let’s now dive into the report’s major findings.
How Ponemon and IBM Calculate Data Breach Costs
Ponemon Institute and IBM Security compute the cost of a data breach using activity-based costing (ABC). For this method of calculation, they first identify activities for detection and response, such as launching investigations, organizing incident response teams and conducting public outreach.
They then assign a cost to an organization’s actual use of these activities, which the company submits to Ponemon and IBM as part of their participation in their research. Once a company provides all its estimated costs for its activities associated with a data breach, Ponemon and IBM categorize the costs as direct, indirect and opportunity.
Direct costs refer to how much companies spend on addressing the consequences of a data breach and helping victims, expenses which include hiring forensic experts and offering identity theft protection services to victims. Indirect costs are time, effort and other internal resources that organizations dedicate to responding to a data breach, with costs ranging from reputation loss to time spent on notifying victims. Opportunity costs are the lost business opportunities that result from a decrease in reputation capital after the public and the media have learned about a breach.
Each annual Cost of a Data Breach Study also looks at activities that fall into one of four cost cores: detection or discovery, escalation, notification and post data breach.
Key Data Breach Cost Findings
For its 2017 report, Ponemon and IBM interviewed 1,900 individuals from 419 organizations in 11 countries and two regions (including 63 US companies operating from 16 industry sectors) that suffered at least one breach in the previous 10 months. They asked respondents how many records the incident affected and what percent of their organization’s customer base it breached. They also asked about their company’s discovery and recovery efforts.
The average cost of a lost or stolen record compromised in a data breach (i.e. the per capita cost) increased from $221 in their 2016 study to $225. This cost consists of $146 spent on indirect costs and $79 on direct costs. By comparison, organizations that suffered a data breach the year prior spent $145 and $76 on indirect costs and direct costs, respectively.
The total average organization cost of a data breach also went up. In its 2016 study, companies spent an average of $7.01 million. They spent $7.35 million a year later, thereby replacing the previous all-time high of $7.24 million back in 2011.
Aside from these changes in cost, Ponemon and…
Click here to read more
