Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2017
02:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Data Breach Costs Drop Globally But Increase in US

The average total cost of a data breach declined 10% year-over-year around the world, but in the US edged upward by 5%.

The average cost per data breach is now $3.62 million worldwide, marking a 10% drop from the $4 million average cost-per-breach in 2016.

This marks the first time data breach cost has decreased overall since IBM created its Cost of Data Breach report, which was published June 20. The good news unfortunately doesn't apply to everyone: cost increased 5% in the US during the same timeframe that it dropped 26% in Europe.

The study, conducted by the Ponemon Institute, included 419 companies in 11 countries and two geographical regions (the Middle East and ASEAN) around the world. A strong US dollar influenced the global cost analysis and contributed to the decline, according to the report.

Wendi Whitmore, global lead for IBM X-Force Incident Response & Intelligence Services (IRIS), says businesses are focusing more on detection and prevention, which helped with the drop.

"It's the direct result of organizations spending more of their budget allocation on things that are preventive in nature," she explains. While many are investing in endpoint detection and response (EDR), it's not all about technology. Businesses are preparing for breach response.

"Organizations are dedicating time to practicing," she says. "They're developing incident response plans, writing them down, and testing them. They're taking scenarios likely to impact their business and test them periodically."

While breaches may cost less on a global scale, overall findings indicate they are generally more expensive in the United States than in other counties. The average organizational cost per breach was $7.35 million in the US.

Regulation may make a tremendous difference when it comes to data breach cost. The total cost per data breach rose 5% year-over-year in the US; in Europe, it declined 26%. Whitmore says decentralized regulation in the US is a burden. With privacy laws differing across 48 states, companies spend much of their time and resources notifying consumers.

That aside, several factors influence the total cost of a data breach: time taken to find and contain the breach, number of records stolen, escalation of the incident, cost of notifying victims, and unexpected customer loss.

The US takes the top spot for notification costs, which average $690,000 per company, per breach -- more than double the amount of any other nation surveyed. Notification costs include the creation of contact databases, determination of regulatory requirements, interaction with experts, postal expenditure, email bounce-backs, and inbound communication.

The more records lost, the higher the cost. In this study, the average breach cost ranged from $1.9 million for incidents with less than 10,000 compromised records, to $6.3 million for incidents with more than 50,000 compromised records.

Early detection can also mitigate the total cost of a breach. Researchers found the mean time to identify a breach was 191 days, but the range was 24- to 546 days for detection. The toughest attacks to detect are those by malicious actors, which take an average of 214 days to find.

"It's still longer than we prefer it to be," Whitmore notes. "Ideally we would prefer it to be hours and not weeks or months."

Hackers and criminal insiders cause the most data breaches and were behind 47% of breaches in this year's report. These are more expensive, says Whitmore. External attackers are often financially motivated, well-funded, and may have the same tools as nation-state actors.

"We've seen an increase in the breadth of attacks to organizations," says Whitemore. "When they occur, they tend to be pretty well-funded. This makes it tougher for organizations responding to attacks because they need to quickly understand the attribution -- who did it, what their motivation is."

Businesses can mitigate the overall cost of a data breach through effective detection and incident response teams, Whitmore says. Incident response teams are a "top factor" in influencing cost, but organizations don't have to invest in an expensive team to be effective.

"It could be an internal team that an organization has invested in, or an outsourced team, or a combination of internal and external," she continues. More organizations are detecting incidents themselves, and by doing it sooner they can prevent a more widespread incident.

In addition to implementing and practicing an incident response plan, Whitmore emphasizes the importance of creating a communications plan to announce breaches.

"What happens if an employee tweets about an attack or alerts the media in advance of an official statement?" she says. "The way an organization responds publicly to an attack is critically important these days."

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
6/26/2017 | 5:54:00 AM
Management should care more about IT security
While it is encouraging to learn that global costs of data breaches have decreased, the fact remains that hugely disruptive data breaches are still happening alarmingly frequently all over the world. Despite this overall step in the right direction, the results are still far from an ideal situation.

With so many data breaches making headlines in recent months, each new cyberattack is a business lesson not learnt and an opportunity to step up cyber security completely missed.

IT security is often in danger of being an issue that only the IT department cares about and can be seen by the C suite as a business cost that doesn't add to revenue streams. That is, of course, until a breach takes place and the costs of resolving the issues become very much the business leader's concern.

For business leaders, whether in the US or further afield, having more visibility of the cybersecurity risks happening daily in their company is vital to changing this attitude and preventing the cost of resolving breaches climbing even further.

There are currently software tools which can physically show activity which could lead to a breach taking place, whether this is unsafe password practices or general risky behaviour happening around the office in real time. But the truth is that IT security isn't just an 'as and when' requirement. Having effective security software isn't just valuable when a breach takes place. It can help the company remain competitive, close business deals and build trust with customers, partners and the supply chain.

In order to bring these statistics down across the board, IT teams need to encourage business leaders to see preventative IT security measures as a future-proofing investment, like a form of insurance. It's always better to be safe than sorry, but once a company has been the victim of a data breach, it's too late and the measures needed to resolve the issue will inevitably be complex, disruptive and costly. 

http://www.isdecisions.com/why-management-should-care-IT-security/
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...