IBM study calculates full cost of 'mega breaches,' topping $350M

A new IBM Security study, Cost of a Data Breach Study 2018, identifies the full financial impact of a data breach on a company’s bottom line.

Sponsored by IBM Security and conducted by Ponemon Institute, the study found that the average cost of a data breach globally is $3.86 million. This is a 6.4% increase from the 2017 report.

To make matters worse, researchers found that for U.S. companies, the average cost of a data breach is $7.91 million, the worst globally.

The study also found that each individual data breach costs companies $149 per lost or stolen record containing sensitive and confidential information, an increase of 4.8%.

The study analyzed hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory activities, and cost of lost business and reputation. The study was conducted by assessing in-depth interviews with nearly 500 companies that experienced a data breach.

Mega breaches

This year for the first time, the study also calculated the costs of so-called “mega breaches” that include cases in which 1 million to 50 million records were lost. The study found that these breaches cost companies between $40 million and $350 million respectively.

What is cause for concern is that in the past five years, the amount of mega breaches has nearly doubled from just 9 mega breaches in 2013 to 16 mega breaches in 2017.

This year for the first time, the IBM study examined the effect of security automation tools which use artificial intelligence, machine learning, analytics, and orchestration to augment or replace human intervention in the identification and containment of a breach.

As a result, the study found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation).

Related: How do cyber threats impact public entities?

Impacts on the cost of a data breach

From 2014 to 2018, the Cost of a Data Breach study has found that the average cost has risen by a 10% net increase, from $3.5 million to $3.86 million. Each year, researchers identify the different factors that increase or decrease the cost of a data breach.

One of the first factors deals with time. The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days. Companies that contained a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).

Related: Breaches abound: 3 factors that increase identity theft risk

The second most influential factor on the cost of a data breach is the amount of data stolen. At an average of $148 per lost or stolen record, costs can pile up fast.

To combat these costly attacks, researchers found that having an incident response team was the top cost-saving factor, reducing the cost by $14 per compromised record. The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record, and companies that indicated a “rush to notify” had a higher cost by $5 per lost or stolen record.

For the full IBM Cost of a Data Breach 2018 report, visit the company’s website.

Related: What to consider when developing or refining your cyber incident response plan