2017 Ponemon Cost of Data Breach Study: Analyzing the Research
The news is mixed: the cost of a data breach is going down, but the size of a data breach is going up. The 2017 Ponemon Institute Cost of Data Breach Study delves into the cost of data breaches to organizations across the globe.
The Ponemon Institute collected direct expenses (engaging experts, providing hotline support, offering free credit monitoring or discounts) and indirect expenses (in-house investigations and communication, as well as the extrapolated value of customer loss) to calculate data breach cost. The survey of 419 companies across 11 countries found the following:
- The average total cost of a data breach decreased from $4.00 to $3.62 million.
- The average cost for each lost or stolen record containing sensitive and confidential information also decreased from $158 in 2016 to $141. A large contributor to this decline in cost was the strong U.S. dollar. Approximately $8 (48 percent) of this decline can be attributed to currency rate fluctuation.
- The average size of the data breaches in the research increased 1.8 percent.
Location and Industry Impact Cost of a Data Breach
The Middle East, the United States and Japan saw significant increases in the cost of data breaches. Organizations in Germany, France, Australia, and the United Kingdom saw a reduction in the cost of a data breach.
Several factors contribute to the cost of a breach in a particular geography. For example, organizations in Australia, Germany, France and the United Kingdom were able to improve their ability to keep customers and, as a result, reduced the cost of data breach. Most of these locations also were able to limit the number of customer records lost or stolen and, as a result, had lower costs. Countries in the Middle East and the United States experienced a higher percentage of customer churn and had higher costs. Organizations in Brazil, India, the Middle East and South Africa had data breaches involving more lost or stolen records, which increased their costs.
Detection and escalation costs are highest in Canada and lowest in Brazil. Notification costs for organizations in the United States were the highest, whereas India had the lowest.
Heavily regulated industries such as healthcare, education and financial organizations have a cost substantially higher than the overall mean of $141. Public sector, research, media and transportation organizations have a cost well under the overall mean value.
Recommendations to Reduce Costs of a Data Breach
Based on the research findings, the Ponemon study extrapolated several recommendations to reduce both customer churn and the cost of a data breach:
- Employ a senior leader such as a chief privacy officer or chief information security officer to direct initiatives that improve customers’ trust in how the organization safeguards their personal information.
- The more records lost, the higher the cost of data breach. Use data classification schema and retention programs to get visibility into the sensitive and confidential information that is vulnerable to a breach and reduce the volume of such information.
- Incident response (IR) teams and the extensive use of encryption reduce costs. In this year’s research, an IR team reduced the cost by as much as $19 per compromised record. Similarly, the extensive use of encryption reduced cost.
- An attack by a malicious insider or criminal is costlier than system glitches and negligence. Factors that may decrease the cost include the use of security analytics.
- The faster the data breach can be identified and contained, the lower the costs. If the mean time to identify (MTTI) was under 100 days, the estimated average total cost of data breach was $2.80 million. If it was over 100 days, the estimated cost was $3.83 million. Having tools that heighten detective or forensic capabilities can significantly reduce data breach cost.
Using Technology to Reduce Breach Cost
Monitoring software such as the Teramind solution can help to identify costly insider or criminal threats and reduce the time to detect a breach – both of which are key factors in the overall cost of a data breach today.
Gartner Predictions for 2018 and Beyond: Analyzing the Research Report
Takeaways on Protenus Healthcare Breach Reports: Insider Threats & Data Extortion
Takeaways on Data Protection and Insider Threats from Verizon’s 2017 Report