The average cost of a data breach is now US$4 million, up 29% from US$3.79 million in 2015. The average cost per stolen record is US$158.
That’s according to the “2016 Cost of a Data Breach Study: Global Analysis” from IBM and Ponemon Institute, conducted on 383 companies in 12 countries that had a data breach ranging from approximately 3000 to over 101,500 compromised records.
It estimates there is a 26% probability of a material data breach involving 10,000 lost or stolen records.
According to this year’s findings, organisations in Brazil and South Africa are most likely to have a material data breach involving 10,000 or more records. In contrast, organisations in Germany and Australia are least likely to experience a material data breach. Here are some of the key findings from the report.
While the global average cost of a data breach was US$158 per record, healthcare organisations reported the highest average cost at US$355. Education followed with an average cost of US$246.
Nearly half of breaches were caused by hackers and criminal insiders, and these were also the costliest type of breach. The average cost spent to resolve malicious or criminal attacks was US$170 per record, while breaches stemming from system glitches cost about US$138 per record. For the US specifically, companies paid an average of US$236 per record to address a malicious or criminal attack, the highest across countries.
Incident response teams were observed to reduce the cost of a data breach resolution by US$16 per record. Employee training reduced the cost by US$9, board-level involvement reduced the cost by US$6, and insurance protection reduced the cost by US$5.
Elements that increased the cost of data breach resolution include third-party involvement in the breach (increased by US$14) rushing to notify (US$6), lost or stolen devices (US$5) and engaging consultants (US$5).
The average number of records stolen has increased 3.2%, and organisations have experienced greater losses in business (customers) than expected.
Time to identify and contain a data breach affects the cost. For the second year it clearly shows the relationship between how quickly an organisation can identify and contain data breach incidents and financial consequences. Both the time to identify and time to contain was highest for malicious and criminal attacks (229 days and 82 days, respectively) and much lower for data breaches caused by human error (162 days and 59 days, respectively).
The US and Germany have the highest average per capita cost of data breaches, at $221 and $213, respectively. Brazil and India had the lowest average per capita cost of data breaches, at $100 and $61, respectively.
Investments in data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. It revealed a reduction in the cost when companies participated in threat sharing and deployed data loss prevention technologies.