Attacks/Breaches
6/20/2017
02:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Data Breach Costs Drop Globally But Increase in US

The average total cost of a data breach declined 10% year-over-year around the world, but in the US edged upward by 5%.

The average cost per data breach is now $3.62 million worldwide, marking a 10% drop from the $4 million average cost-per-breach in 2016.

This marks the first time data breach cost has decreased overall since IBM created its Cost of Data Breach report, which was published June 20. The good news unfortunately doesn't apply to everyone: cost increased 5% in the US during the same timeframe that it dropped 26% in Europe.

The study, conducted by the Ponemon Institute, included 419 companies in 11 countries and two geographical regions (the Middle East and ASEAN) around the world. A strong US dollar influenced the global cost analysis and contributed to the decline, according to the report.

Wendi Whitmore, global lead for IBM X-Force Incident Response & Intelligence Services (IRIS), says businesses are focusing more on detection and prevention, which helped with the drop.

"It's the direct result of organizations spending more of their budget allocation on things that are preventive in nature," she explains. While many are investing in endpoint detection and response (EDR), it's not all about technology. Businesses are preparing for breach response.

"Organizations are dedicating time to practicing," she says. "They're developing incident response plans, writing them down, and testing them. They're taking scenarios likely to impact their business and test them periodically."

While breaches may cost less on a global scale, overall findings indicate they are generally more expensive in the United States than in other counties. The average organizational cost per breach was $7.35 million in the US.

Regulation may make a tremendous difference when it comes to data breach cost. The total cost per data breach rose 5% year-over-year in the US; in Europe, it declined 26%. Whitmore says decentralized regulation in the US is a burden. With privacy laws differing across 48 states, companies spend much of their time and resources notifying consumers.

That aside, several factors influence the total cost of a data breach: time taken to find and contain the breach, number of records stolen, escalation of the incident, cost of notifying victims, and unexpected customer loss.

The US takes the top spot for notification costs, which average $690,000 per company, per breach -- more than double the amount of any other nation surveyed. Notification costs include the creation of contact databases, determination of regulatory requirements, interaction with experts, postal expenditure, email bounce-backs, and inbound communication.

The more records lost, the higher the cost. In this study, the average breach cost ranged from $1.9 million for incidents with less than 10,000 compromised records, to $6.3 million for incidents with more than 50,000 compromised records.

Early detection can also mitigate the total cost of a breach. Researchers found the mean time to identify a breach was 191 days, but the range was 24- to 546 days for detection. The toughest attacks to detect are those by malicious actors, which take an average of 214 days to find.

"It's still longer than we prefer it to be," Whitmore notes. "Ideally we would prefer it to be hours and not weeks or months."

Hackers and criminal insiders cause the most data breaches and were behind 47% of breaches in this year's report. These are more expensive, says Whitmore. External attackers are often financially motivated, well-funded, and may have the same tools as nation-state actors.

"We've seen an increase in the breadth of attacks to organizations," says Whitemore. "When they occur, they tend to be pretty well-funded. This makes it tougher for organizations responding to attacks because they need to quickly understand the attribution -- who did it, what their motivation is."

Businesses can mitigate the overall cost of a data breach through effective detection and incident response teams, Whitmore says. Incident response teams are a "top factor" in influencing cost, but organizations don't have to invest in an expensive team to be effective.

"It could be an internal team that an organization has invested in, or an outsourced team, or a combination of internal and external," she continues. More organizations are detecting incidents themselves, and by doing it sooner they can prevent a more widespread incident.

In addition to implementing and practicing an incident response plan, Whitmore emphasizes the importance of creating a communications plan to announce breaches.

"What happens if an employee tweets about an attack or alerts the media in advance of an official statement?" she says. "The way an organization responds publicly to an attack is critically important these days."

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
6/26/2017 | 5:54:00 AM
Management should care more about IT security
While it is encouraging to learn that global costs of data breaches have decreased, the fact remains that hugely disruptive data breaches are still happening alarmingly frequently all over the world. Despite this overall step in the right direction, the results are still far from an ideal situation.

With so many data breaches making headlines in recent months, each new cyberattack is a business lesson not learnt and an opportunity to step up cyber security completely missed.

IT security is often in danger of being an issue that only the IT department cares about and can be seen by the C suite as a business cost that doesn't add to revenue streams. That is, of course, until a breach takes place and the costs of resolving the issues become very much the business leader's concern.

For business leaders, whether in the US or further afield, having more visibility of the cybersecurity risks happening daily in their company is vital to changing this attitude and preventing the cost of resolving breaches climbing even further.

There are currently software tools which can physically show activity which could lead to a breach taking place, whether this is unsafe password practices or general risky behaviour happening around the office in real time. But the truth is that IT security isn't just an 'as and when' requirement. Having effective security software isn't just valuable when a breach takes place. It can help the company remain competitive, close business deals and build trust with customers, partners and the supply chain.

In order to bring these statistics down across the board, IT teams need to encourage business leaders to see preventative IT security measures as a future-proofing investment, like a form of insurance. It's always better to be safe than sorry, but once a company has been the victim of a data breach, it's too late and the measures needed to resolve the issue will inevitably be complex, disruptive and costly. 

http://www.isdecisions.com/why-management-should-care-IT-security/
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.