The 2019 Cost of a Data Breach Report – The Findings

Every year IBM Security and the Ponemon Institute release their Cost of a Data Breach report based on in-depth interviews with over 500 companies around the world. The report takes into account hundreds of factors to calculate the cost of a data breach. More importantly, the report highlights ways that organisations can mitigate the cost of a data breach and improve their cybersecurity. This year’s report shows the average cost of a data breach to be a staggering $3.92 million. With such huge potential loses, it’s vital to understand the risk and how they can be avoided. Read on for all the highlights from this year’s report.

What’s New in The Report?

As always, the report analyses factors such as technical activities, customer turnover and the drain on employee productivity to calculate its figures. Each year, research evolves to take into account the changes in technology, regulations and security protocols. However, now in its 14th year, the report also includes historical data to show metrics over several years. New areas within the report this year include:

  • The ‘long tail’ of a breach – for the first time, this year’s report demonstrates that the effects of a breach often last for years after an incident.
  • Organisational and security characteristics – the report examines characteristics that can impact the cost of a data breach such as the complexity of security environments, operational technology, testing and the coordination between development, security and IT operations functions (DevSecOps).
  • The breach lifecycle – not a new addition but a continuation, this year’s report again touches on the root causes of breaches and how long it takes for them to be identified.
  • The impact of security automation – again a continuation from last year, the report reviews the state of security automation within different industries and regions.

What were the key findings?

This year’s report delivered the following key findings: 

  • Lost business was the largest cost category – lost business equated to 36% of the total average cost of a breach. Breaches that resulted in a large customer turnover experienced greater than average total costs.
  • Data breach costs lasted for years – while around two-thirds of the cost came in the first year, organisations were still suffering more than two years after a breach. The long-tail costs were found to be higher for highly-regulated industries such as healthcare.
  • The breach lifecycle has grown – the time between an incident occurring and the breach being contained has grown this year by 4.9%. When the breach lifecycle is higher, the cost of a data breach increases.
  • Malicious attacks were the most common and the most expensive – the number of breaches caused by malicious attacks has increased by 21% since 2014. These types of breaches are harder to identify and contain, and are 27% more expensive than breaches caused by human error.
  • Human error is still a vital contributor – although malicious attacks are more common, those caused by human error and system glitches still account for 49% of breaches.
  • Small businesses risk more – the cost implications are disproportionately larger for small businesses, which can influence their ability to recover.

How to protect your business against data breaches?

While the report found that factors such as cloud migration, IT complexity and third-party breaches increased the cost of a data breach, it also revealed ways that the costs can be mitigated. Organisations who implement the likes of encryption, data loss prevention, threat intelligence sharing and DevSecOps experienced lower-than-average data breach costs. Encryption had the most significant impact, lowering costs by approximately $360,000.

Another factor that greatly mitigates the total cost of a data breach is an organisation’s ability to respond. For businesses with an incident response team following a well-tested response plan, costs were reduced by an average of $1.2 million. Ultimately, teams who tested their response plan were able to respond faster and contain the breach sooner.

Finally, the integration of security automation, using solutions with artificial intelligence, machine learning, and advanced analytics, resulted in significantly lower costs. In fact, organisations without security automation experienced costs that were 95% higher than those with fully-deployed automation.

What are the chances of your business experiencing a data breach?

The 2019 report also found that the chance of experiencing a data breach within two years has risen to 29.6%. As organisations are now nearly one third more likely to experience a breach than they were in 2014, increasing your cybersecurity posture is fundamental.

To find out more about how to respond to a cyberattack, and how to mitigate the cost of a data breach, read our Responding to Cyber Attacks’ executive summary here.

see our

Related resources