The Ponemon report highlights four reasons a data breach can cost so much: detection and escalation, notification, lost business and post data breach response.
Let’s examine each of these.
Detection and response: Activities that enable a company to detect and respond to the breach still need to be paid for. This covers forensic and investigative activities, assessment and audit services, crisis management, as well as communications to executives and boards.
Notification: This covers activities that enable the company to notify data subjects, data protection regulators and other third parties.
Lost business: Here, money is spent to minimise the loss of customers, business disruption and revenue losses.
Post data breach response: This covers activities to help victims of a breach communicate with the company and activities to provide redress to victims and regulators.
The biggest cost contributor is lost business: increased customer turnover, lost revenue from system downtime and the higher cost of acquiring new business with a diminished reputation.
According to Ponemon, lost business accounted for 40% of the average total cost of a data breach.
What kind of data is the biggest target?
The most frequently compromised – and the costliest – data is personally identifiable information (PII). The average cost per lost or stolen record containing customer PII is $150. In a malicious attack, the cost rises to $175 per record.
Which companies pay the most?
There are three main causes of a data breach: malicious attacks (52%), human error (23%) and system glitches (25%).
One in five victims of a malicious data breach were infiltrated via stolen or compromised credentials. In these instances, the typical total cost was $4.77 million – nearly $1 million higher than average. Breaches due to cloud misconfigurations raised the $3.86 million average cost of a breach by more than $500,000, to $4.41 million.
In addition to being more costly, malicious breaches are harder to deal with. They take 315 days on average to detect and contain, compared to 244 days for a system glitch breach and 239 days for a breach caused by human error.
The cost of a data breach is higher for companies with complex security systems, caused by a multiplicity of technologies and a lack of in-house expertise. Cloud migration is also associated with higher-than-average data breach costs.
In terms of who bears the highest cost from a management point of view, CISOs and CIOs are particularly vulnerable – even though they might not be responsible.
Ponemon found 46% of businesses believed the CISO or CSO would be held responsible for a data breach, despite only 27% saying they are most responsible for cybersecurity policy and technology decision-making.
Mitigating the cost of a data breach
The three most effective ways to mitigate a data breach are security automation, forming an incident response (IR) team and testing the IR plan and business continuity management.
The Ponemon report indicates that businesses with an incident response team suffer a lower average cost due to a data breach compared to those without. Similarly, the average cost for those that fully deploy security automation is much lower than for those without it.
There are a number of measures you can adopt to minimise the impacts of a data breach:
Stress test your incident response plan to increase cyber resilience.
Use tools that protect and monitor endpoints and remote employees.
Adopt a zero-trust security model to prevent unauthorised access to sensitive data.
Invest in governance, risk management and compliance programmes.
Reduce the complexity of IT and security environments.
Protect sensitive data in cloud environments via policy and technology.
Use managed security services to fill any internal security skill gaps.