The 2019 Cost of a Data Breach Report – The Findings
Every year IBM Security and the Ponemon Institute release their Cost of a Data Breach report based on in-depth interviews with over 500 companies around the world. The report takes into account hundreds of factors to calculate the cost of a data breach. More importantly, the report highlights ways that organisations can mitigate the cost of a data breach and improve their cybersecurity. This year’s report shows the average cost of a data breach to be a staggering $3.92 million. With such huge potential loses, it’s vital to understand the risk and how they can be avoided. Read on for all the highlights from this year’s report.
What’s New in The Report?
As always, the report analyses factors such as technical activities, customer turnover and the drain on employee productivity to calculate its figures. Each year, research evolves to take into account the changes in technology, regulations and security protocols. However, now in its 14th year, the report also includes historical data to show metrics over several years. New areas within the report this year include:
- The ‘long tail’ of a breach – for the first time, this year’s report demonstrates that the effects of a breach often last for years after an incident.
- Organisational and security characteristics – the report examines characteristics that can impact the cost of a data breach such as the complexity of security environments, operational technology, testing and the coordination between development, security and IT operations functions (DevSecOps).
- The breach lifecycle – not a new addition but a continuation, this year’s report again touches on the root causes of breaches and how long it takes for them to be identified.
- The impact of security automation – again a continuation from last year, the report reviews the state of security automation within different industries and regions.
What were the key findings?
This year’s report delivered the following key findings:
- Lost business was the largest cost category – lost business equated to 36% of the total average cost of a breach. Breaches that resulted in a large customer turnover experienced greater than average total costs.
- Data breach costs lasted for years – while around two-thirds of the cost came in the first year, organisations were still suffering more than two years after a breach. The long-tail costs were found to be higher for highly-regulated industries such as healthcare.
- The breach lifecycle has grown – the time between an incident occurring and the breach being contained has grown this year by 4.9%. When the breach lifecycle is higher, the cost of a data breach increases.
- Malicious attacks were the most common and the most expensive – the number of breaches caused by malicious attacks has increased by 21% since 2014. These types of breaches are harder to identify and contain, and are 27% more expensive than breaches caused by human error.
- Human error is still a vital contributor – although malicious attacks are more common, those caused by human error and system glitches still account for 49% of breaches.
- Small businesses risk more – the cost implications are disproportionately larger for small businesses, which can influence their ability to recover.
How to protect your business against data breaches?
While the report found that factors such as cloud migration, IT complexity and third-party breaches increased the cost of a data breach, it also revealed ways that the costs can be mitigated. Organisations who implement the likes of encryption, data loss prevention, threat intelligence sharing and DevSecOps experienced lower-than-average data breach costs. Encryption had the most significant impact, lowering costs by approximately $360,000.
Another factor that greatly mitigates the total cost of a data breach is an organisation’s ability to respond. For businesses with an incident response team following a well-tested response plan, costs were reduced by an average of $1.2 million. Ultimately, teams who tested their response plan were able to respond faster and contain the breach sooner.
Finally, the integration of security automation, using solutions with artificial intelligence, machine learning, and advanced analytics, resulted in significantly lower costs. In fact, organisations without security automation experienced costs that were 95% higher than those with fully-deployed automation.
What are the chances of your business experiencing a data breach?
The 2019 report also found that the chance of experiencing a data breach within two years has risen to 29.6%. As organisations are now nearly one third more likely to experience a breach than they were in 2014, increasing your cybersecurity posture is fundamental.
To find out more about how to respond to a cyberattack, and how to mitigate the cost of a data breach, read our ‘Responding to Cyber Attacks’ executive summary here.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
We're Here To Help