Average cost of data breach reaches record levels: but business continuity quantitatively reduces the loss amount

Published: Thursday, 28 May 2015 07:16

The Ponemon Institute has released its annual Cost of Data Breach Study: Global Analysis, sponsored by IBM. According to the benchmark study of 350 companies spanning 11 countries, the average consolidated total cost of a data breach is $3.8 million1 representing a 23 percent increase since 2013.

The study also found that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154. Healthcare emerged as the industry with the highest cost per stolen record with the average cost for organizations reaching as high as $363. Additionally, retailers have seen their average cost per stolen record jump dramatically from $105 last year to $165 in this year's study.

"Based on our field research, we identified three major reasons why the cost keeps climbing," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. First, cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."

The first Cost of Data Breach study was conducted 10 years ago in the United States. Since then, the research has expanded to 11 countries. Ponemon Institute's Cost of Data Breach research is based on actual data of hundreds of indirect and direct cost categories collected at the company level using field-based research methods and an activity-based costing framework. This approach has been validated from the analysis of more than 1,600 companies that experienced a material data breach over the past 10 years in 11 countries.

The 2015 research involved the collection of detailed information about the financial consequences of a data breach. For purposes of this research, a data breach occurs when sensitive, protected or confidential data is lost or stolen and put at risk. Over a 10-month period, Ponemon Institute researchers conducted more than 1,500 interviews with IT, compliance and information security practitioners representing 350 organizations in the following 11 countries: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India the Arabian region (a consolidation of organizations in the United Arab Emirates and Saudi Arabia) and for the first time Canada.

The key findings from the survey are:

Predicting the likelihood of a data breach

For the second year, the research looked at the likelihood of a company having one or more data breaches in the next 24 months. Based on the experiences of companies participating in this research, the probability is based on two factors: how many records were lost or stolen and the company's industry. According to the findings, Brazilian and French companies are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

Download the complete report from www.ibm.com/security/data-breach