For the ninth year in a row, healthcare organizations had the highest cost of a data breach—nearly $6.5 million on average—according to the annual “Cost of a Data Breach Report” from IBM Security and the Ponemon Institute.
The annual report put out by the two companies examines the financial impact of data breaches on organizations. According to the report, the cost of a data breach has risen 12 percent over the past five years, and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the study’s authors concluded.
And for small and midsize businesses, the financial consequences of a data breach can be particularly severe. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average, which for businesses this size that typically earn $50 million or less in annual revenue, can be especially crippling.
For the first time this year, the report also examined the long tail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67 percent of data breach costs were realized within the first year after a breach, 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.
More specific to healthcare, not only did this industry’s organizations have the average highest cost of a breach, but that $6.5 million figure was nearly 65 percent more than other industries in the study. As such, data breaches cost healthcare companies $429 per lost or stolen record on average, which is almost three times higher than the cross-industry average which is $150 per lost/stolen record.
What’s more, organizations in the healthcare and public sector take the most time in the data breach lifecycle—defined as the time it takes to identify and contain a breach—329 days and 324 days, respectively. Financial organizations, for comparison, take far less time to identify and contain a data breach (233 days).
Sponsored by IBM Security and conducted by the Ponemon Institute, the report is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis also takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.
Some of the other top findings from this year's report include:
- Over 50 percent of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.
- However, inadvertent breaches from human error and system glitches were still the cause for nearly half (49 percent) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively.
- While less common, breaches of more than 1 million records cost companies a projected $42 million in losses. And those of 50 million records are projected to cost companies $388 million.
- The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
- Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
"Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses," Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, said in a statement. "With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs."
