Data breaches can haunt firms for years
The
compromised company may bear the financial brunt of the breach within the first
year after the incident occurs, but the price tag is still far from final
The average cost of a data breach has
risen 12% over the past five years to US$3.92 million globally, according
to IBM’s 2019 Cost of a Data Breach study, which drew on input from more than 500
companies around the world that suffered a breach over the past year.
The rising financial impact was attributed to a
trio of factors – the multi-year financial fallout from breaches, increased
regulation, and the complexity of resolving criminal attacks.
The report comes at a time when several companies
are facing the prospects of hefty bills for massive cyber-incidents. This
includes Equifax in the
United States and British Airways and Marriot Starwood in the United Kingdom.
For the first time this year, the study from IBM
Security and Ponemon Institute also looked at the ‘long tail’ financial impacts
of breaches. It found that while the compromised firm typically bears the
financial brunt of the incident within the first year after it occurs, by no
means is it ‘out of the woods’ so soon.
“While an average of 67% of data breach costs were
realized within the first year after a breach, 22% accrued in the second year
and another 11% accumulated more than two years after a breach. The long tail
costs were higher in the second and third years for organizations in
highly-regulated environments, such as healthcare, financial services, energy
and pharmaceuticals,” reads the press release.
Among other findings, the report highlighted that
in a number of ‘scenarios’ the financial consequences can climb even higher.
First, the incidents tend to be costlier for firms
that suffered breaches at the hands of malicious actors, as opposed to
incidents caused by human or system errors. Malicious breaches didn’t only
account for more than one-half of the incidents under review, but they also
cost an extra US$1 million than the inadvertent breaches
(US$4.45 million versus US$3.5 million).
In addition, for firms based in the US, the average
cost of a breach climbed all the way to US$8.19 million, having risen by
130% over the past 14 years.
Typically, breaches weigh particularly heavily on
healthcare organizations, which recorded the highest cost of
(US$6.5 million) and topped the list for the ninth year in a row.
Regardless of the industry, however, a data breach
can be downright devastating for a small and even mid-sized business. The study
found that companies with fewer than 500 employees suffered losses of more than
US$2.5 million on average. To put that into perspective, small businesses
typically earn $50 million or less in annual revenue.
The average life cycle of a breach was 279 days.
More precisely, on average it took companies 206 days to spot and another 73
days to contain the incident. When it comes to only malicious breaches, it took
even longer – 314 days.
“Companies in the study who were able to detect and
contain a breach in less than 200 days spent US$1.2 million less on the total
cost of a breach,” according to the report. It outlined a slew of more factors
that influenced the financial fallout, including the number of data records
lost, whether the breach originated from a third party, and whether the company
made extensive use of encryption.
In her excellent article last year, ESET security researcher Lysa Myers outlined how
preparing for the worst can actually help firms avoid falling victim to such
incidents in the first place.
For more information on ESET and the
free e-book, visit: https://www.eset.com/be-fr/professionnels/data-protection-ebook/