This Is How Much a 'Mega Breach' Really Costs

The average cost of a data breach is $3.86 million, but breaches affecting more than 1 million records are far more expensive.

Companies hit with a data breach pay an average of $3.86 million around the world, marking a 6.4% increase from last year. It's no small amount for any company, but a few million is only a small fraction of the cost of "mega breaches," which compromise at least 1 million records.

The "2018 Cost of a Data Breach Study," sponsored by IBM Security and conducted by the Ponemon Institute, annually evaluates the total cost of security incidents. This marks the first time researchers calculated costs associated with breaches ranging from 1 million to 50 million lost records.

So what's the damage? It turns out massive security breaches come with equally large price tags, ranging from $40 million for 1 million records lost to $350 million for 50 million records lost.

Researchers had been wanting to dig into the financial impact of mega breaches but previously lacked the data to do so, explains Caleb Barlow, vice president at IBM Security.

"You have to remember if we go back three or four years ago, when you got into these scenarios, unless they were credit-card-related, companies didn't need to disclose," he says. Now, as a result of breach disclosure laws, analysts have more data to work with.

As for the overall price increase of 6.4%, Barlow says the most concerning aspect isn't the percentage itself, but the fact it continues to grow at all. The potential impact on consumers, and the companies supporting them, has become significant enough to gain board-level attention.

"With the average cost just under $4 million – and [we're] not talking about mega breaches when we say $4 million – the fact this continues to grow is indicative that we as an industry haven't got our arms around this yet," he says.

According to the study, most data breaches (48%) come from malicious or criminal attacks, which are the most expensive, at $157 per capita. Twenty-seven percent are caused by human error – for example, negligent employees or contractors ($131 per capita). One-quarter result from system glitches, including both technical and business process failures ($128 per capita).

Hundreds of factors influence the cost of a data breach. Third-party involvement is the most significant: If a third party causes an incident, it costs the company about $13 per record stolen, the report reveals. "Every company nowadays is not a product only of what they do, but their supply chain as well," Barlow points out. Extensive cloud migration and compliance failure both contribute to the growing cost, adding about $12 per record to the total expense.

One of the factors researchers can better calculate is the reputational side of breach cost, including customer churn and brand damage. If a customer decides not to conduct business with a company due to a breach, or to wait to process a transaction, it can have a pretty devastating impact, he continues. Attackers are taking notice.

"Not only is that potential impact understood now in the cost of a data breach, but it's something the adversary is very much aware of as well," Barlow says. Companies with less than 1% loss of existing customers have an average breach cost of $2.7 million. Researchers estimate those with a churn rate over 4% face an average cost of $4.9 million.

Cost of data breach disclosure is another pricey factor, and it's highest in the United States. Not only is the attack surface larger there compared with other nations, but there are also 49 unique breach disclosure laws to deal with. Companies will likely have to handle the process differently in each jurisdiction where they do business, increasing the cost of alerting users.

Fortunately, a few practices can lessen the financial burden of a data breach.

"There are definitely some things that can reduce the cost," says Barlow, and not just breach prevention. This marks the second year in a row that incident response – having a team and plan in place for remediation – is the top cost-cutting measure ($14 per record).

Extensive use of encryption is another cost saver, cutting about $13 per record, followed by business continuity management (BCM) involvement and employee training ($9.30 each), participation in threat sharing ($8.70), artificial intelligence platforms ($8.20), and use of security analytics ($6.90).

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading: