The 2019 Cost of a Data Breach Report – The Findings
Every year IBM Security and the Ponemon Institute release their Cost of a Data Breach report based on in-depth interviews with over 500 companies around the world. The report takes into account hundreds of factors to calculate the cost of a data breach. More importantly, the report highlights ways that organisations can mitigate the cost of a data breach and improve their cybersecurity. This year’s report shows the average cost of a data breach to be a staggering $3.92 million. With such huge potential loses, it’s vital to understand the risk and how they can be avoided. Read on for all the highlights from this year’s report.
What’s New in The Report?
As always, the report analyses factors such as technical activities, customer turnover and the drain on employee productivity to calculate its figures. Each year, research evolves to take into account the changes in technology, regulations and security protocols. However, now in its 14th year, the report also includes historical data to show metrics over several years. New areas within the report this year include:
- The ‘long tail’ of a breach – for the first time, this year’s report demonstrates that the effects of a breach often last for years after an incident.
- Organisational and security characteristics – the report examines characteristics that can impact the cost of a data breach such as the complexity of security environments, operational technology, testing and the coordination between development, security and IT operations functions (DevSecOps).
- The breach lifecycle – not a new addition but a continuation, this year’s report again touches on the root causes of breaches and how long it takes for them to be identified.
- The impact of security automation – again a continuation from last year, the report reviews the state of security automation within different industries and regions.
What were the key findings?
This year’s report delivered the following key findings:
- Lost business was the largest cost category – lost business equated to 36% of the total average cost of a breach. Breaches that resulted in a large customer turnover experienced greater than average total costs.
- Data breach costs lasted for years – while around two-thirds of the cost came in the first year, organisations were still suffering more than two years after a breach. The long-tail costs were found to be higher for highly-regulated industries such as healthcare.
- The breach lifecycle has grown – the time between an incident occurring and the breach being contained has grown this year by 4.9%. When the breach lifecycle is higher, the cost of a data breach increases.
- Malicious attacks were the most common and the most expensive – the number of breaches caused by malicious attacks has increased by 21% since 2014. These types of breaches are harder to identify and contain, and are 27% more expensive than breaches caused by human error.
- Human error is still a vital contributor – although malicious attacks are more common, those caused by human error and system glitches still account for 49% of breaches.
- Small businesses risk more – the cost implications are disproportionately larger for small businesses, which can influence their ability to recover.
How to protect your business against data breaches?
While the report found that factors such as cloud migration, IT complexity and third-party breaches increased the cost of a data breach, it also revealed ways that the costs can be mitigated. Organisations who implement the likes of encryption, data loss prevention, threat intelligence sharing and DevSecOps experienced lower-than-average data breach costs. Encryption had the most significant impact, lowering costs by approximately $360,000.
Another factor that greatly mitigates the total cost of a data breach is an organisation’s ability to respond. For businesses with an incident response team following a well-tested response plan, costs were reduced by an average of $1.2 million. Ultimately, teams who tested their response plan were able to respond faster and contain the breach sooner.
Finally, the integration of security automation, using solutions with artificial intelligence, machine learning, and advanced analytics, resulted in significantly lower costs. In fact, organisations without security automation experienced costs that were 95% higher than those with fully-deployed automation.
What are the chances of your business experiencing a data breach?
The 2019 report also found that the chance of experiencing a data breach within two years has risen to 29.6%. As organisations are now nearly one third more likely to experience a breach than they were in 2014, increasing your cybersecurity posture is fundamental.
To find out more about how to respond to a cyberattack, and how to mitigate the cost of a data breach, read our ‘Responding to Cyber Attacks’ executive summary here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help