General security

How Much Does a Data Breach Cost? Reading the 2018 Cost of a Data Breach Study

Pierluigi Paganini
July 20, 2018 by
Pierluigi Paganini

How much does a data breach cost?

It isn't a simple question, but the answer is the only way to transmit the urgency of the situation to C-level executives.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The 2018 Cost of a Data Breach Study, the 2018 edition of the annual study sponsored by IBM Security and conducted by the Ponemon Institute, provides us an interesting evaluation for the total cost of security breaches.

For the first time, the study analyzed the costs associated with breaches ranging from 1 million to 50 million lost records.

The first information that emerges from the study is that the average cost of a data breach is $3.86 million, but mega-incidents affecting more than 1 million records are far more expensive.

Figure 1 - Global cost of data breaches

The study revealed that the average total cost of a breach ranges from $2.2 million (for incidents with fewer than 10,000 compromised records) to $6.9 million (for incidents with more than 50,000 compromised records).

Massive security breaches have a cost ranging from $40 million for 1 million records lost to $350 million for 50 million records lost.

A data breach involving 50 million records, for example, would result in a total cost of $350.44 million.

Figure 2 - Average total cost by size of data breaches

The researchers confirmed that the average cost for companies has increased by 6.4% from last year.

While the cost of a data breach increased for organizations in 13 countries compared to the five-year average, experts pointed out that it has decreased in Brazil and Japan.

The majority of security breaches, roughly 48%, are caused by malicious or criminal attacks. The related cost per capita is at $157.

Other causes are human error (27%) with a cost of $131 per capita and system glitches (25%) with $128 per capita.

"This year we found that the average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages," reads the report.

"The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent.

"The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent

"The average size of the data breaches in this research increased by 2.2 percent."

According to the study, while several factors influence the overall cost of an incident, third-party involvement is the most significant.

"If a third party caused the data breach, the cost increased by more than $13 per compromised record for an adjusted average cost of $161, up from $148 per record," the report states.

"Organizations undergoing a major cloud migration at the time of the breach

saw the cost increase to per capita cost by $12, for an adjusted average cost of $160, up from $148 per record."

For the first time this year, the experts also evaluated the influence of two new cost factors: security automation and the extensive use of Internet of Things (IoT) devices.

Figure 3 - Factors that influence the cost of data breaches

The study revealed that that reputational damages caused by a data breach could have significant impact on the victims, and experts are able to calculate them.

Reputational damage could put a company out of the market because it would be considered untrustworthy by business partners.

Companies that lost less than one percent of their customers as a result of a security breach faced an average total cost of $2.8 million. Experts estimated that if four percent or more was lost, the average total cost was $6 million.

The study revealed that data breaches are the costliest in the United States and the Middle East, while these kinds of incidents are least costly in Brazil and India.

The analysis of cost per geographic area revealed that the average total cost in the United States was $7.91 million and in the Middle East was $5.31 million, while it was $1.24 million in Brazil and $1.77 million in India.

Another piece of bad news for Americans: they faced the highest average per-capita costs at $233, followed by Canada with $202.

Some costs, like notifications, are the highest in the United States. They include all activities to manage data breach notifications such as the management of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication setups.

In the U.S. the notification costs for organizations are the highest at $740,000, while in India they are the lowest at $20,000.

Which Sectors Have the Highest Cost for a Data Breach?

For the 8th year in a row, the healthcare sector had the highest costs associated with data breaches. The average cost for a lost or stolen healthcare record was $408, three times higher than the cross-industry average ($148).

Follow in the ranking, the financial and services industries with a cost of $206 and $181 respectively.

Figure 4 - Cost of data breaches per sector

How Can Companies Reduce Data Breach Costs?

According to the study, the mean time to identify a breach is still high — roughly 197 days — while the mean time to contain a breach is 69 days.

Companies that were able to identify a security breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve the problem.

The researchers highlighted that businesses can reduce the potential cost of a data breach by adopting proper strategies. For example: the establishment of incident response teams and the extensive use of encryption.

"In this year's research, an incident response (IR) team reduced the cost by as much as $14 per compromised record. Hence, companies with a strong IR capability could anticipate an adjusted cost of $134, down from $148 per record," continues the study.

"Similarly, the extensive use of encryption reduced cost by $13 per capita, for an adjusted average cost of $135, down from $148 per record."

Data reported in the 2018 Cost of a Data Breach Study confirms that the United States and the Middle East spend the most on post-data-breach response.

The report also analyzed the indirect costs for a data breach that include employees' time, effort, and other organizational resources spent notifying victims and investigating the incident, as well as the loss of goodwill and customer churn.

The United States had the highest indirect per-capita cost at $152, followed by Canada at $116.

Figure 5 - Direct and Indirect costs of data breaches

Another interesting novelty of the report published this year is that for the first time, the researchers analyzed the effects of organizations adopting AI and IoT devices as part of their security strategies.

The adoption of AI security platforms could allow companies to save money — the researchers estimated an average of $8 per compromised record.  Machine-learning systems, analytics and orchestration are essential support for human activities in identifying and mitigating the security breaches at an early stage.

The most worrisome data unearthed by the analysis is that only 15 percent of companies surveyed had fully deployed an AI system for the protection of their infrastructure.

"This year for the first time, the report examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach," states the study.

"The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation.)"

Another factor that influences the cost of the data breach is the use of IoT devices. Businesses that extensively use this family of devices pay $5 more per compromised record on average.

The researchers also published a data breach calculator to allow users to explore the industry, location and cost factors in case they are affected by a security incident.


Cost of a Data Breach, IBM Security

2018 Cost of a Data Breach Study by Ponemon, IBM

Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT, Security Intelligence

2018 Cost of a Data Breach Global Overview, IBM Security

Data Breach Calculator, IBM

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

IBM Study: Hidden Costs of Data Breaches Increase Expenses for Businesses, IBM News Room

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.