Understanding the High Cost of a Data Breach

Company leaders seem to be grappling with more than their share of worries these days, from political and macroeconomic uncertainties, to extreme weather and trade tensions. One of the most pervasive threats, however, is cybercrime—specifically, data breaches in which criminals hijack customer data.

Increasingly, it isn’t a question of if a company falls prey to a data breach, but when, how, and to what effect. To be sure, data breaches can take a significant and lasting toll.

Over the last five years, the average cost of a corporate data breach, globally, has increased 12% to $3.92 million, according to the latest Cost of Data Breach Report, conducted by the Ponemon Institute on behalf of IBM Security.

The growing price tag is in part due to the lasting impact of a breach, which can span multiple years and goes beyond the direct costs of the breach itself. The total tab typically includes legal, regulatory and technical activities, as well as losses tied to brand equity, customer confidence, and employee productivity.

While there is no foolproof strategy for avoiding a data breach, companies that take these threats seriously—and understand the high costs—may be better prepared to absorb the impact.

Here are five key things to know about the financial impact of a data breach.

1. Smaller Companies are Hit Hard

To gauge the costs of data breaches, the Ponemon Institute conducted in-depth interviews with more than 500 companies, across 17 industries and 16 geographies. They found the effects of a breach vary by the source and the nuances of the company, including size.

In fact, companies with fewer than 500 employees often suffer the biggest blow. On average, companies of this size reported losses of more than $2.5 million. For companies of this size—which typically have less than $50 million in annual revenue—such a loss can be devastating.

2. The Effects are Long-Lasting

When factoring for cybersecurity costs, companies often focus on the immediate toll, but for many organizations the damage can span many years. On average, 67% of data breach costs are realized in the first year, while 22% spill over to the second year and 11% accrue more than two years after the event.

For highly-regulated industries, such as energy, financial services and healthcare, however, the long-lasting costs are higher in the second and third years. Meanwhile, it’s hard to quantify the indirect costs of a breach, which can include diminished brand equity, consumer confidence, and employee productivity.

3. Costs Vary by Cause

Just as the impact of a breach can vary greatly, so can the cause. Notably, nearly half of all breaches are the result of human error or system glitches. On the bright side, companies can avoid these inadvertent losses by testing their systems, and by training and educating employees.

Unfortunately, malicious breaches—attacks from cyber criminals—have become more common and now account for 51% of breaches. They are also the most expensive; on average they cost $4.45 million, or $1 million more than those caused by human error or system shortfalls.

So-called “mega breaches” make headlines, but account for a fraction of data breaches. That said, they cannot be ignored. These events typically involved more than 1 million records and cost companies more than $40 million. On the extreme end of this, the largest breaches—those involving at least 50 million records—add up to $388 million, the study reports.

4. Some Companies are More Vulnerable

In many cases the averages don’t reflect how serious cybercrime is for some regions and industries. For U.S. companies, data breaches are far more costly, with the total price tag, more than $8 million, more than double the global average. That represents a 130% increase since the study began 14 years ago.

Meanwhile, healthcare companies shoulder the biggest burden by far. Globally, healthcare companies spend about $6.5 million per breach, or more than double the average for all industries.

5. Prevention Does Pay

These findings indicate that companies need to take cybersecurity seriously and view it as not just an IT threat but as a risk factor that should span legal, finance and human resources.

Moreover, preventing and mitigating data breaches is a dynamic process that requires ongoing vigilance. Companies that invest in resources to respond quickly and efficiently can minimize the damage.

It stands to reason—as many companies don’t know they’ve been hacked until hundreds of days after the fact. On average, it took companies 206 days to first identify a breach and 73 days to contain it.

Companies with incident response teams were able to identify and respond to breaches far faster—and in the process reported $1.23 million less in losses.

While it may be impossible to avoid a data breach, companies of all sizes need to take measures to identify, respond to and mitigate the risks associated with this pervasive category of crime.