The UK saw significant decreases compared to the four-year average costs, with the cost of a data breach averaging £2.5 million.
Yahoo, OneLogin, DocuSign, Wonga – there is no short supply when it comes to high-profile data breaches, with rhetoric surrounding these incidents decrying the lax security measures and forewarning the hefty costs, fines and damage to brand. However, in findings which seemingly go against the cyber security grain of late, IBM has found that the average cost of a data breach has declined a significant 10%.
According to IBM Security’s global study, the average cost of a data breach is $3.62 million globally, a 10% decline from 2016 results. This is the first time since the global study was created that there has been an overall decrease in the cost. The cost of these data breaches cost companies $141 per lost or stolen record on average.
The study, conducted by Ponemon Institute, indicates that there is a strong correlation between regulation and the overall cost of a data breach. European countries, which operate in a more centralised regulatory environment, saw a 26% decrease in the total cost of a data breach over last year’s study. The US, where regulation differs per state, saw data breach costs actually rise 5%.
The top five reasons as to why the US saw a rise in data costs included “compliance failures” and “rushing to notify”. A comparison of these factors suggests that regulatory activities in the U.S. could cost businesses more per record when compared to Europe.
For example, compliance failures cost U.S. businesses 48% more than European companies, while rushing to notify cost U.S. businesses 50% more than European companies. U.S. companies also reported paying over $690,000 on average for notification costs related to a breach – which is more than double the amount of any other country surveyed in the report.
These regulatory findings come at an apt time when the GDPR deadline is coming ever nearer. With just under a year to go, further regulatory compliance could result in further declines in data breach costs.
“New regulatory requirements like GDPR in Europe pose a challenge and an opportunity for businesses seeking to better manage their response to data breaches,” said Wendi Whitmore, Global Lead, IBM X-Force Incident Response & Intelligence Services (IRIS).
“Quickly identifying what has happened, what the attacker has access to, and how to contain and remove their access is more important than ever. With that in mind, having a comprehensive incident response plan in place is critical, so when an organization experiences an incident, they can respond quickly and effectively.”
For a third year in a row, the report revealed the benefits of having an Incident Response (IR) team in place. Significantly reducing the cost of a data breach, an IR team found to save more than $19 per lost or stolen record.
A big part of why an IR team can reduce data breach costs is down to speed – the cost of a data breach was nearly $1 million lower on average for organisations that were able to contain a data breach in less than thirty days compared to those that took longer than 30 days.
Speed of response will be increasingly critical as GDPR is implemented in May 2018, which will require organizations doing business in Europe to report data breaches within 72 hours or risk facing fines of up to four percent of their global annual turnover.
READ MORE: US Voter Data Breach – Human error strikes again and no, cloud does not magically secure data
“The survey results make it clear that the time taken to contain a breach has a direct bearing on the cost. Threat triage, investigation and containment are processes carried out by people that need technology to support their efforts. The technology needs to allow our people to get true visibility into what is going on, rather than simply providing huge amounts of data that has to be manually trawled through,” said Darren Anstee, Chief Technology Officer at Arbor Networks.
Other factors found to reduce the cost of a data breach included encryption and education, with extensive use of encryption reducing data breach costs by $19 per lost or stolen record. Education, meanwhile, reduced the cost of a data breach by $12.50 per lost or stolen record.
Looking at the other side of the fence, the top factor increasing the cost of a data breach was the involvement of third-parties. The report found that third-parties increased the cost of a data breach by $17 per record.