IBM: Hidden Costs Drive Up Financial Hit of Mega Breaches to $350M

The cost of data breaches to companies continues to go up, with the average hitting $3.86 million, according to a study by IBM Security. However, the cost of "mega breaches" -- where 1 million to 50 million records are lost -- can reach as high as $350 million, particularly when hidden costs are factored in.

According to the "2018 Cost of a Data Breach Study," those hidden costs -- such as lost business, the negative impact on the company's reputation and the amount of time employees spend on helping the business recover from the breach -- can be significant and difficult and expensive to manage. For example, a third of the cost of mega breaches came from lost business, according to the study, which was conducted by the Ponemon Institute for IBM Security.

In May, Kaspersky Lab researchers calculated that that clean-up costs for enterprises that had been breached grew almost 25% between 2017 and 2018, to $1.23 million per incident. The IBM report looked to include the ancillary hidden costs that drive up the overall financial hit companies take. (See Kaspersky: Data Breaches Cost Enterprises $1.23M.)

(Source: Pixabay)

The data was collected through interviews with almost 500 companies that had experienced a data breach and through the analysis of hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, lost business and reputation and legal and regulatory activities.

The study comes at a time when the number of mega breaches, such as the Equifax breach, continues to rise. According to IBM, over the past five years, the number almost doubled, from nine in 2013 to 16 in 2017. IBM's study in the past analyzed data from breaches were 2,500 to 100,000 records were lost. With the rapid growth of mega breaches, the tech giant is now taking a look at the costs involved with those. Ten out of 11 mega breaches that were analyzed were the result of malicious and criminal attacks rather than system or human error, with the largest expense linked to lost business, which was almost $118 million for breaches of 50 million records. (See Equifax Agrees to Implement New Security Measures.)

Growing costs
However, like with smaller breaches, a key factor is the amount of time it normally takes a business to detect and contain the breach. For a mega breach, the average time was 365 days, almost 100 days longer than the average of 266 days for breaches of smaller scale. On average, companies that contained a breach in fewer than 30 days saved more than $1 million in costs than those that took longer, at $3.09 million vs. $4.25 million. (See MyHeritage Data Breach of 92M Accounts Raises Many Questions.)

"The amount of time to detect and contain a breach has a huge impact on the total cost of a breach, which was evident from the study as well as what we experience working with clients," Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, told Security Now in an email. "One of the big factors that helps reduce that timeline is having a full incident response plan in place, which includes proactive detection capabilities as well as response and remediation actions for a wide variety of stakeholders in the environment."

Security complexity
Responding well to a breach is more complex and challenging than many realize, so the key is having the right people and tools in place, and not only the technical and security teams but other people throughout the business, Whitmore wrote. Having an incident response team in place can reduce the cost of a breach by $14 per compromised record, the study found.

The use of artificial intelligence technologies for cybersecurity also plays a significant role in reducing costs. The use of an AI platform can cut costs by $8 per record. In addition, those companies that have extensively deployed automated security technologies -- including AI, machine learning, analytics and orchestration -- saved more than $1.5 million on the total cost of a breach, with an average of $2.88 million versus $4.43 million for those who didn’t use such technologies.

"Many companies are adopting machine learning, AI and automation technologies in some form or another in the security operation center, particularly those with more mature security processes in place," Whitmore added. "Many of these are larger companies as well as those in highly targeted industries like financial services. While machine learning is already used fairly pervasively, we continue to see companies looking to push further into the automation and AI space as well."

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

With businesses managing more data and facing more threats, the use of automation technologies can reduce the amount of time security analysts need for such jobs as investigating duplicate alerts and false positives, and can also help in streamlining the overall threat response, she said.

Regionally, businesses in the US sustained the highest average cost per breach, at $7.91 million. The lowest average costs were in Brazil, at $1.24 million, and India, at $1.77 million.

Overall, costs have continued to rise during the 13 years Ponemon has looked at the issue. In 2014, the average cost of a data breach was $3.5 million, which means costs have jumped almost 10% in the past five years.

"Cybercriminals are becoming increasingly sophisticated, and targeted attacks as well as mega breaches are growing both in volume and complexity, which increases the overall time and expense it takes to manage a breach," Whitmore wrote. "Our clients realize the growing threat and are investing in measures to become more secure, but many organizations still don't have some of the basic detection capabilities in place that can help limit the impact of these attacks more effectively. Taking an operationally focused yet risk-based approach to security, focusing on protecting the most critical assets, and ensuring that the proper planning is in place across people, tools and technology can help reduce these costs in the long term."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.</p