Attacks/Breaches

6/20/2017
02:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Data Breach Costs Drop Globally But Increase in US

The average total cost of a data breach declined 10% year-over-year around the world, but in the US edged upward by 5%.

The average cost per data breach is now $3.62 million worldwide, marking a 10% drop from the $4 million average cost-per-breach in 2016.

This marks the first time data breach cost has decreased overall since IBM created its Cost of Data Breach report, which was published June 20. The good news unfortunately doesn't apply to everyone: cost increased 5% in the US during the same timeframe that it dropped 26% in Europe.

The study, conducted by the Ponemon Institute, included 419 companies in 11 countries and two geographical regions (the Middle East and ASEAN) around the world. A strong US dollar influenced the global cost analysis and contributed to the decline, according to the report.

Wendi Whitmore, global lead for IBM X-Force Incident Response & Intelligence Services (IRIS), says businesses are focusing more on detection and prevention, which helped with the drop.

"It's the direct result of organizations spending more of their budget allocation on things that are preventive in nature," she explains. While many are investing in endpoint detection and response (EDR), it's not all about technology. Businesses are preparing for breach response.

"Organizations are dedicating time to practicing," she says. "They're developing incident response plans, writing them down, and testing them. They're taking scenarios likely to impact their business and test them periodically."

While breaches may cost less on a global scale, overall findings indicate they are generally more expensive in the United States than in other counties. The average organizational cost per breach was $7.35 million in the US.

Regulation may make a tremendous difference when it comes to data breach cost. The total cost per data breach rose 5% year-over-year in the US; in Europe, it declined 26%. Whitmore says decentralized regulation in the US is a burden. With privacy laws differing across 48 states, companies spend much of their time and resources notifying consumers.

That aside, several factors influence the total cost of a data breach: time taken to find and contain the breach, number of records stolen, escalation of the incident, cost of notifying victims, and unexpected customer loss.

The US takes the top spot for notification costs, which average $690,000 per company, per breach -- more than double the amount of any other nation surveyed. Notification costs include the creation of contact databases, determination of regulatory requirements, interaction with experts, postal expenditure, email bounce-backs, and inbound communication.

The more records lost, the higher the cost. In this study, the average breach cost ranged from $1.9 million for incidents with less than 10,000 compromised records, to $6.3 million for incidents with more than 50,000 compromised records.

Early detection can also mitigate the total cost of a breach. Researchers found the mean time to identify a breach was 191 days, but the range was 24- to 546 days for detection. The toughest attacks to detect are those by malicious actors, which take an average of 214 days to find.

"It's still longer than we prefer it to be," Whitmore notes. "Ideally we would prefer it to be hours and not weeks or months."

Hackers and criminal insiders cause the most data breaches and were behind 47% of breaches in this year's report. These are more expensive, says Whitmore. External attackers are often financially motivated, well-funded, and may have the same tools as nation-state actors.

"We've seen an increase in the breadth of attacks to organizations," says Whitemore. "When they occur, they tend to be pretty well-funded. This makes it tougher for organizations responding to attacks because they need to quickly understand the attribution -- who did it, what their motivation is."

Businesses can mitigate the overall cost of a data breach through effective detection and incident response teams, Whitmore says. Incident response teams are a "top factor" in influencing cost, but organizations don't have to invest in an expensive team to be effective.

"It could be an internal team that an organization has invested in, or an outsourced team, or a combination of internal and external," she continues. More organizations are detecting incidents themselves, and by doing it sooner they can prevent a more widespread incident.

In addition to implementing and practicing an incident response plan, Whitmore emphasizes the importance of creating a communications plan to announce breaches.

"What happens if an employee tweets about an attack or alerts the media in advance of an official statement?" she says. "The way an organization responds publicly to an attack is critically important these days."

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
6/26/2017 | 5:54:00 AM
Management should care more about IT security
While it is encouraging to learn that global costs of data breaches have decreased, the fact remains that hugely disruptive data breaches are still happening alarmingly frequently all over the world. Despite this overall step in the right direction, the results are still far from an ideal situation.

With so many data breaches making headlines in recent months, each new cyberattack is a business lesson not learnt and an opportunity to step up cyber security completely missed.

IT security is often in danger of being an issue that only the IT department cares about and can be seen by the C suite as a business cost that doesn't add to revenue streams. That is, of course, until a breach takes place and the costs of resolving the issues become very much the business leader's concern.

For business leaders, whether in the US or further afield, having more visibility of the cybersecurity risks happening daily in their company is vital to changing this attitude and preventing the cost of resolving breaches climbing even further.

There are currently software tools which can physically show activity which could lead to a breach taking place, whether this is unsafe password practices or general risky behaviour happening around the office in real time. But the truth is that IT security isn't just an 'as and when' requirement. Having effective security software isn't just valuable when a breach takes place. It can help the company remain competitive, close business deals and build trust with customers, partners and the supply chain.

In order to bring these statistics down across the board, IT teams need to encourage business leaders to see preventative IT security measures as a future-proofing investment, like a form of insurance. It's always better to be safe than sorry, but once a company has been the victim of a data breach, it's too late and the measures needed to resolve the issue will inevitably be complex, disruptive and costly. 

http://www.isdecisions.com/why-management-should-care-IT-security/
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.