According to the 2019 Cost of Data Breach Report from Ponemon Institute and IBM Security, the global average cost of a data breach has grown by 12 percent in the last five years to $3.92 million. This was driven by the multi-year financial impact of breaches, increased regulation and the difficult process of resolving cyber attacks.
The United States had the highest cost at $8.19 million and healthcare had the highest average industry cost of $6.45 million likely due to their high amount of personal data.
The report takes into account hundreds of cost factors from legal, regulatory and technical activities, to loss of brand equity, customer turnover and drain on employee productivity and is based on interviews with 507 companies who experienced a data breach between July 2018 and April 2019.
It's important to note that this report does not account for mega breaches that happened, like Equifax and Facebook.
Above all, the report shows the high cost of a breach and the need for organizations to reduce cybersecurity risk and improve their overall security posture. Data protection, data security and data breach prevention must be part of every organization's information security policy, the long-tail impact of a data breach can be felt for years after the initial incident.
Table of contents
- Key findings of the 2019 Cost of Data Breach Report
- What was the biggest contributor to data breach costs?
- How long do data breaches impact organizations?
- How long was the average breach lifecycle?
- What was the most common and expensive cause of breaches?
- How much did breaches caused by human errors and system glitches cost?
- Are small businesses affected by data breaches?
- What are the biggest cost amplifiers of data breaches?
- What reduces the cost of a data breach?
- What is the impact of an incident response team and testing?
- Does automated security reduce costs?
- How does region and industry impact the cost of data breaches?
- What are the odds of experiencing a data breach?
- How UpGuard can prevent data breaches and find leaked credentials
1. Key findings of the 2019 Cost of Data Breach Report
The report had twelve key findings:
- Lost business was the biggest contributor to data breach costs
- Data breaches impacted organizations for years
- The lifecycle of a data breach is growing
- Malicious cyber attacks were the most common and expensive root cause of breaches
- Human error and system glitches still costs millions
- Small businesses are hit harder proportionately
- Cloud migration, IT complexity and third-party breaches were cost multipliers
- Encryption, business continuity management, DevSecOps and threat intelligence sharing were cost mitigators
- Companies with incident response teams and extensive testing saved over $1.2m
- Automation of security reduced costs
- Region and industry impact cost
- The odds of a data breach are increasing
2. What was the biggest contributor to data breach costs?
The cost of data breach study showed that data breaches had a huge negative impact of customer trust, which led to lost business.
Lost business was the largest of the four major costs that contributed to the total cost of a data breach.
The average cost of lost business was $1.42 million and caused 3.9 percent of customers to churn.
At the low end, a data breach caused less than one percent of customers to churn with an average total cost of $2.8 million. At the high end, customer turnover was more than four percent and had an average cost of $5.7 million, 45% higher than the average total cost of a data breach.
3. How long do data breaches impact organizations?
According to the cost of a data breach study, one-third of data breach costs occur more than a year after after a data breach incident, according to 86 companies studied over multiple years.
67 percent of breach costs came in the first year, 22 percent accrued in the second year and 11 percent was accrued more than two years after a breach.
Organizations in highly regulated industries, such as healthcare organizations and financial services businesses, suffered from the worst long-tail costs with the cost of a breach rising in the second and third years.
High data protection regulatory environments saw 53 percent of breach costs in the first year, 32 percent in the second year and 16 percent more than two years after a breach. This is likely driven by new regulatory fines and the introduction of breach notification laws like GDPR.
4. How long was the average breach lifecycle?
A breach lifecycle is the time between when a data breach incident occurs and when the breach is contained. Breach lifecycles grew between last year and 2019, with the average time to identify a breach in 2019 of 206 days and the average time to contain a breach of 73 days, totalling 279 days.
This represents a 4.9 percent increase over the 2018 lifecycle of 266 days.
The key thing to understand is that the faster a data breach is identified and contained, the lower the costs. Lifecycles less than 200 days were on average $1.22 million less costly than breaches with lifecycles greater than 200 days ($3.34 million vs $4.56 million).
5. What was the most common and expensive cause of breaches?
The annual Cost of a Data Breach Report found that criminal attacks were the most common cause of breaches and the most expensive.
Since 2014, data breaches caused by cybercriminals grew by 21 percent, growing from 42 percent in 2014 to 51 percent in 2019. Further, these types of breaches took longer to identify and contain: a combined 314 days.
This likely explains why breaches caused by malicious attacks were 27 percent more costly than breaches caused by human error ($4.45 million vs $3.5 million) and 37 percent more costly than a breach caused by system glitches ($4.45 million vs $3.24 million).
6. How much did breaches caused by human errors and system glitches cost?
While malicious breaches were most common, accidental breaches (data leaks) were still the root cause of nearly half of the data breaches in the report.
Human error includes phishing attacks and stolen and infected devices and were responsible for about a quarter of breaches. The average loss due to human error was $3.5 million.
System glitches where inadvertent failures could not be tied to human action accounted for another quarter. The average loss due to system glitches was $3.24 million.
7. Are small businesses affected by data breaches?
There was significant variation in total data breach costs by organization size.
Large organizations with more than 25,000 employees had an average cost of a data breach of $5.11 million or $204 per employee.
Smaller organizations with 500-1,000 employees had an average cost of $2.65 million or $3,533 per employee.
This is one of the hidden costs of a data breach. Small organizations are hit more than 10x harder than large organizations, which can result in an irrecoverable impact on their bottom line.
8. What are the biggest cost amplifiers of data breaches?
The five biggest cost amplifiers were third-party involvement, compliance failures, exentisev cloud migration, system complexity and operational technology.
Third-party data breaches increased costs by more than $370,000 for an adjusted average total cost of $4.29 million. This is why third-party risk management and vendor risk management are so important. You need to be monitoring and mitigating your third-party risks and fourth-party risks.
Cloud migrations saw a cost increase of $300,000 per breach for an adjusted average cost of $4.22 million and system complexity increased the cost of a breach by $290,000 to $4.21 million.
9. What reduces the cost of a data breach?
Extensive use of encryption, data loss prevention, threat intelligence sharing and DevSecOps were all associated with a lower average data breach cost. Among these encryption had the largest impact reducing the cost by an average of $360,000 followed by business continuity management which reduced the total cost of a data breach by $280,000.
10. What is the impact of an incident response team and testing?
Organizations who were able to respond effectively after a data breach and followed a well rehearsed incident response plan were able to lower the average cost of a data breach by $1.23 million ($3.51 million vs $4.74 million).
11. Does automated security reduce costs?
Organizations with security automation technologies that reduced the need for human intervention saw significantly lower costs after experiencing a data breach ($2.65 million vs $5.16 million)
It's becoming more costly to not use automation with the average growing from $4.43 million in 2018 to $5.16 million in 2019, whereas organizations with automation saw their costs decrease from $2.88 million in 2018 to $2.65 million in 2019.
12. How does region and industry impact the cost of data breaches?
Data breaches in the United States continue to be vastly more expensive than other countries, with an average total of $8.19 million (more than double the global average).
The cost has increased by 130 percent over the last 14 years, up from $3.54 million in 2006.
The Middle East had the highest average number of breached records (38,800 per breach, versus the global average of 25,500).
Healthcare, for the ninth year in a row, continued to have the highest cost at $6.45 million, over 60 percent higher than the global average of all industries.
13. What are the odds of experiencing a data breach?
The chance of experiencing a data breach was 29.6 percent in 2019, an increase from 27.9 percent in 2018.
In the span of six years, the likelihood of a data breach within two years grew 7 percentage points, a 31 percent increase in the odds of experiencing a breach within two years.
In other words, your organization is nearly one-third more likely to experience a breach within two years than they were in 2014.
14. How UpGuard can prevent data breaches and find leaked credentials
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.
Cybersecurity is becoming more important than ever before.