Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

With Data Breach Costs, Time is Money

The sooner a company can detect and respond to an incident, the less likely they are to pay for it, a new IBM-Ponemon study finds.

One of the main takeaways from IBM's latest annual data breach report, released this week, is that a strong incident response capability can help organizations reduce breach costs by more than 25% on average.

IBM's study of over 500 data breach victims — conducted by the Ponemon Institute — shows that businesses with a formal incident response team and well-tested response plans spent $3.51 million on average on breach costs compared with $4.74 million by those who had neither.

The study shows that organizations on average took 206 days after initial intrusion to first identify a data breach and another 73 days to remediate it. But companies that were able to detect and contain a breach in fewer than 200 days spent $1.23 million less in breach costs.

"When it comes to data breaches, time is money, and the longer it takes to contain and remediate, the longer the organization keeps bleeding, so to speak," says Limor Kessem, global executive security advisor at IBM Security.

The IBM-Ponemon study — now in its 15th year — considered four core categories of expenses when computing breach costs: lost business, detection and escalation, notification, and post-breach, Kessem says.

"We found that lost business has remained the highest cost factor over the past five years," Kessem says. This includes things such as the costs of business disruption, revenue losses from system downtime, damage to a company's reputation, and the cost of lost customers, she says. The global average customer turnover rate caused by a data breach was 3.9%, an increase from last year's rate of 3.4%, she says.

Quick detection and response are critical to reporting the exact scope of a breach, figuring out what might have been compromised, and complying with regulatory breach notification requirements. A fully drilled incident response team can help speed up restoration and repair, Kessem notes.

"[Organizations] are in a better place on reporting and can save costs on everything from operational downtime, employee productivity, and regulatory fines to reputational damage."

Joseph Carson, chief security scientist at Thycotic, says the reason why companies are having a harder time detecting breaches is because attackers are getting better at hiding their tracks by abusing privileged accounts and other measures to remove traceable digital footprints. Many security researchers have noted a recent increase in attacks that employ legitimate remote admin tools and other utilities to hide on a compromised network for extended durations.

"A strong incident response plan can be useless if you're not actively threat hunting" as well, Carson says.

The IBM-Ponemon study shows that other measures could help organizations reduce breach costs, too. Companies that had deployed security automation technologies, for instance, generally spent just half of what organizations without such tools spent on a data breach. Similarly, total breach costs were about $360,000 lower on average for companies that employed encryption effectively.

"Encryption, business continuity management, DevSecOps, and threat intelligence sharing are cost mitigators, while cloud migration, IT complexity, and third-party breaches are major cost amplifiers," says Jonathan Deveaux, head of enterprise data protection at comforte AG.

Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."

"Long-Tail" Costs
As in previous years, the latest IBM-Ponemon report shows that data breach costs are continuing to climb for organizations across the board, but none more so than healthcare companies. The global average cost for a data breach is now $3.92 million — or 12% higher than what it was five years ago. For organizations in the US, the average costs are more than double, at $8.19 million.

The data shows that healthcare companies last year spent a stunning $439 per lost record at an average of nearly $6.5 million for a data breach. That figure is some 60% higher than what organizations in any other industry pay for a data breach. "[These] breaches are simply calamitous to organizations in the sector," Kessem notes. It speaks to the need of the healthcare sector to pay more attention to all those cost reduction strategies that extend beyond a security program that's already in place, she says.

The biggest cost factor for breaches in the US stemmed from lost business, such as customer turnover, system downtime, and business disruption. More than half ($4.5 million) of the total cost of a breach in the US, in fact, was tied to lost business — double that for organizations in other countries. "In general, we expect increasing data privacy standards and regulation like GDPR will increase regulatory and compliance costs for companies who experience a breach," Kessem notes.

Generally, data breaches caused by malicious cyberattacks cost businesses in the IBM-Ponemon study about $1 million more on average than data compromises caused by an accident. The data shows the percentage of companies in the study that experienced a malicious external data breach was 51% compared with 42% six years ago. Forty-nine percent of the breaches were caused by human error and system problems and cost victims $3.5 million and $3.24 million on average, respectively.

The study shows that breach costs can escalate sharply depending on the number of records that are breached. The projected final cost for companies in the IBM-Ponemon study that experienced a breach of more than 1 million records — a relatively rare occurrence — was $42 million. The figure skyrocketed to $388 million for breaches involving more than 50 million records.

Significantly, the financial impact of a data breach can last for years, Kessem says. Most organizations incur only about two-thirds (67%) of their data breach costs in the first 12 months. They spend 22% in the second year and the remaining 11% more than two years after the incident.

Such "long-tail" costs tend to be higher in regulated industries such as healthcare, financial services, and energy. A lot of it has to do with the fact that compliance and regulatory processes tend to be complex and often move slower as well. Therefore, fines and legal fees accumulate in the years following a breach, and not in the immediate aftermath of one, she says.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/25/2019 | 9:21:13 AM
Repetitive but needed

Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."

Interesting, I don't agree with that, I think lack of knowledge, experience, strategy and inadequate education can leave a company susceptible to attack. The cloud is an extension of the organization. No matter how secure the cloud provider is, the individuals that are responsible for its functions will carry those same practices over to the cloud. Look at a few companies that have been hit by incompetence (Cloud S3 Issues):
  • Attunity - S3 bucket left open without specific controls
  • Accenture Federal Services - S3 bucket left open with company data
  • Microsoft, Yahoo, iCloud, Dropbox
  • Booz Allen Hamilton
  • Dow Jones & Co
  • Verizon Wireless
  • Time-Warner Cable

Again, all you have to have is a person who leaves one door open. Think about creating a VM on any CSP, look at the /var/log/*.log files and run the following:
  • "yum install logwatch -y"
  • "/usr/sbin/logwatch --detail High --mailto <email> --range Today --filename logwatch-`date '+%m-%d-%Y'`.html --format html" 

Be sure to look at the number of attempts of someone trying to access ssh, this is alarming, now you have the option of locking down ssh using iptables and cloud rules (NSG or ACL IP filtering):
  • "iptables -I INPUT 1 -m multiport --dport 22 -s -d -m conntrack --ctstate -j ACCEPT #isolate ports on the network and monitor that access with conntrack

Just a word to the wise.

User Rank: Ninja
7/25/2019 | 8:21:22 AM
Re: woa
I rather think this a brain-dead article - obvious in all respects.  Equifax did everything wrong and anybody in security knows these steps.  Not the most challenging subject. 
User Rank: Apprentice
7/25/2019 | 2:20:40 AM
thank for your post
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.