The average cost per data breach is now $3.62 million worldwide, marking a 10% drop from the $4 million average cost-per-breach in 2016.
This marks the first time data breach cost has decreased overall since IBM created its Cost of Data Breach report, which was published June 20. The good news unfortunately doesn't apply to everyone: cost increased 5% in the US during the same timeframe that it dropped 26% in Europe.
The study, conducted by the Ponemon Institute, included 419 companies in 11 countries and two geographical regions (the Middle East and ASEAN) around the world. A strong US dollar influenced the global cost analysis and contributed to the decline, according to the report.
Wendi Whitmore, global lead for IBM X-Force Incident Response & Intelligence Services (IRIS), says businesses are focusing more on detection and prevention, which helped with the drop.
"It's the direct result of organizations spending more of their budget allocation on things that are preventive in nature," she explains. While many are investing in endpoint detection and response (EDR), it's not all about technology. Businesses are preparing for breach response.
"Organizations are dedicating time to practicing," she says. "They're developing incident response plans, writing them down, and testing them. They're taking scenarios likely to impact their business and test them periodically."
While breaches may cost less on a global scale, overall findings indicate they are generally more expensive in the United States than in other counties. The average organizational cost per breach was $7.35 million in the US.
Regulation may make a tremendous difference when it comes to data breach cost. The total cost per data breach rose 5% year-over-year in the US; in Europe, it declined 26%. Whitmore says decentralized regulation in the US is a burden. With privacy laws differing across 48 states, companies spend much of their time and resources notifying consumers.
That aside, several factors influence the total cost of a data breach: time taken to find and contain the breach, number of records stolen, escalation of the incident, cost of notifying victims, and unexpected customer loss.
The US takes the top spot for notification costs, which average $690,000 per company, per breach -- more than double the amount of any other nation surveyed. Notification costs include the creation of contact databases, determination of regulatory requirements, interaction with experts, postal expenditure, email bounce-backs, and inbound communication.
The more records lost, the higher the cost. In this study, the average breach cost ranged from $1.9 million for incidents with less than 10,000 compromised records, to $6.3 million for incidents with more than 50,000 compromised records.
Early detection can also mitigate the total cost of a breach. Researchers found the mean time to identify a breach was 191 days, but the range was 24- to 546 days for detection. The toughest attacks to detect are those by malicious actors, which take an average of 214 days to find.
"It's still longer than we prefer it to be," Whitmore notes. "Ideally we would prefer it to be hours and not weeks or months."
Hackers and criminal insiders cause the most data breaches and were behind 47% of breaches in this year's report. These are more expensive, says Whitmore. External attackers are often financially motivated, well-funded, and may have the same tools as nation-state actors.
"We've seen an increase in the breadth of attacks to organizations," says Whitemore. "When they occur, they tend to be pretty well-funded. This makes it tougher for organizations responding to attacks because they need to quickly understand the attribution -- who did it, what their motivation is."
Businesses can mitigate the overall cost of a data breach through effective detection and incident response teams, Whitmore says. Incident response teams are a "top factor" in influencing cost, but organizations don't have to invest in an expensive team to be effective.
"It could be an internal team that an organization has invested in, or an outsourced team, or a combination of internal and external," she continues. More organizations are detecting incidents themselves, and by doing it sooner they can prevent a more widespread incident.
In addition to implementing and practicing an incident response plan, Whitmore emphasizes the importance of creating a communications plan to announce breaches.
"What happens if an employee tweets about an attack or alerts the media in advance of an official statement?" she says. "The way an organization responds publicly to an attack is critically important these days."