Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2017
02:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Breach Costs Drop Globally But Increase in US

The average total cost of a data breach declined 10% year-over-year around the world, but in the US edged upward by 5%.

The average cost per data breach is now $3.62 million worldwide, marking a 10% drop from the $4 million average cost-per-breach in 2016.

This marks the first time data breach cost has decreased overall since IBM created its Cost of Data Breach report, which was published June 20. The good news unfortunately doesn't apply to everyone: cost increased 5% in the US during the same timeframe that it dropped 26% in Europe.

The study, conducted by the Ponemon Institute, included 419 companies in 11 countries and two geographical regions (the Middle East and ASEAN) around the world. A strong US dollar influenced the global cost analysis and contributed to the decline, according to the report.

Wendi Whitmore, global lead for IBM X-Force Incident Response & Intelligence Services (IRIS), says businesses are focusing more on detection and prevention, which helped with the drop.

"It's the direct result of organizations spending more of their budget allocation on things that are preventive in nature," she explains. While many are investing in endpoint detection and response (EDR), it's not all about technology. Businesses are preparing for breach response.

"Organizations are dedicating time to practicing," she says. "They're developing incident response plans, writing them down, and testing them. They're taking scenarios likely to impact their business and test them periodically."

While breaches may cost less on a global scale, overall findings indicate they are generally more expensive in the United States than in other counties. The average organizational cost per breach was $7.35 million in the US.

Regulation may make a tremendous difference when it comes to data breach cost. The total cost per data breach rose 5% year-over-year in the US; in Europe, it declined 26%. Whitmore says decentralized regulation in the US is a burden. With privacy laws differing across 48 states, companies spend much of their time and resources notifying consumers.

That aside, several factors influence the total cost of a data breach: time taken to find and contain the breach, number of records stolen, escalation of the incident, cost of notifying victims, and unexpected customer loss.

The US takes the top spot for notification costs, which average $690,000 per company, per breach -- more than double the amount of any other nation surveyed. Notification costs include the creation of contact databases, determination of regulatory requirements, interaction with experts, postal expenditure, email bounce-backs, and inbound communication.

The more records lost, the higher the cost. In this study, the average breach cost ranged from $1.9 million for incidents with less than 10,000 compromised records, to $6.3 million for incidents with more than 50,000 compromised records.

Early detection can also mitigate the total cost of a breach. Researchers found the mean time to identify a breach was 191 days, but the range was 24- to 546 days for detection. The toughest attacks to detect are those by malicious actors, which take an average of 214 days to find.

"It's still longer than we prefer it to be," Whitmore notes. "Ideally we would prefer it to be hours and not weeks or months."

Hackers and criminal insiders cause the most data breaches and were behind 47% of breaches in this year's report. These are more expensive, says Whitmore. External attackers are often financially motivated, well-funded, and may have the same tools as nation-state actors.

"We've seen an increase in the breadth of attacks to organizations," says Whitemore. "When they occur, they tend to be pretty well-funded. This makes it tougher for organizations responding to attacks because they need to quickly understand the attribution -- who did it, what their motivation is."

Businesses can mitigate the overall cost of a data breach through effective detection and incident response teams, Whitmore says. Incident response teams are a "top factor" in influencing cost, but organizations don't have to invest in an expensive team to be effective.

"It could be an internal team that an organization has invested in, or an outsourced team, or a combination of internal and external," she continues. More organizations are detecting incidents themselves, and by doing it sooner they can prevent a more widespread incident.

In addition to implementing and practicing an incident response plan, Whitmore emphasizes the importance of creating a communications plan to announce breaches.

"What happens if an employee tweets about an attack or alerts the media in advance of an official statement?" she says. "The way an organization responds publicly to an attack is critically important these days."

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
6/26/2017 | 5:54:00 AM
Management should care more about IT security
While it is encouraging to learn that global costs of data breaches have decreased, the fact remains that hugely disruptive data breaches are still happening alarmingly frequently all over the world. Despite this overall step in the right direction, the results are still far from an ideal situation.

With so many data breaches making headlines in recent months, each new cyberattack is a business lesson not learnt and an opportunity to step up cyber security completely missed.

IT security is often in danger of being an issue that only the IT department cares about and can be seen by the C suite as a business cost that doesn't add to revenue streams. That is, of course, until a breach takes place and the costs of resolving the issues become very much the business leader's concern.

For business leaders, whether in the US or further afield, having more visibility of the cybersecurity risks happening daily in their company is vital to changing this attitude and preventing the cost of resolving breaches climbing even further.

There are currently software tools which can physically show activity which could lead to a breach taking place, whether this is unsafe password practices or general risky behaviour happening around the office in real time. But the truth is that IT security isn't just an 'as and when' requirement. Having effective security software isn't just valuable when a breach takes place. It can help the company remain competitive, close business deals and build trust with customers, partners and the supply chain.

In order to bring these statistics down across the board, IT teams need to encourage business leaders to see preventative IT security measures as a future-proofing investment, like a form of insurance. It's always better to be safe than sorry, but once a company has been the victim of a data breach, it's too late and the measures needed to resolve the issue will inevitably be complex, disruptive and costly. 

http://www.isdecisions.com/why-management-should-care-IT-security/
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...