Security Experts:

Average Cost of Data Breach Drops Globally, Rises to $7.35 Million in U.S.

Cost of Data Breach Drops Globally, But Rises 5% in U.S.

The 2017 IBM Security and Ponemon Institute annual report on the cost of a breach shows that the cost of stolen records and the total cost of a breach continues to rise -- at least in America. The lost- or stolen-record cost rose from $221 to $225 each, while the average total cost of a breach increased from $7.01 million to $7.35 million for organizations in the United States.

In the European countries included in the study -- France, Germany Italy and the United Kingdom -- these costs actually fell. For example, in the UK, the average per capita cost of a data breach decreased from £102 to £98 and the average total organizational cost decreased from £2.53 million in 2016 to £2.48 million in 2017.

The annual Cost of Data Breach Study (PDF) is one of security's yearly benchmark reports. This year, Ponemon Institute, sponsored by IBM, analyzed the cost-effect of data breaches for more than 400 companies in 13 countries. However, it should be noted that not everyone believes it is possible to accurately define and compare different breaches in different companies over time. In recent years both Verizon and ENISA have said it is too difficult.

SecurityWeek asked Diana Kelley, global executive security advisor to IBM Security, whether such criticisms are fair. "It's hard to do these comparisons," she admitted, "but Ponemon goes to great pains over many months using a consistent methodology to ensure they are valid." While the breached companies change, the methodology for data gathering remains consistent, and the bottom line, she added, is that "IBM is confident in their validity, and we are seeing a picture of what can save us money when we have a breach; and also things that result in that cost being higher than perhaps it needs to be."

In America, the key factors in reducing the cost of a breach are incident response, encryption and education. Having an incident response team in place resulted in a $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record). None of this is rocket science, suggested Keeley; "but sometimes it takes science-backed data figures to make us realize just how important they are."

Notable factors increasing the cost of a breach include the involvement of third-parties in a data breach (increasing the cost $17 per record), compliance failures and s 'rush to notify'. The first of these is a well-understood threat vector. "Organizations need to evaluate the security posture of their third-party providers – from payroll to cloud providers to CRM – to ensure the security of employee and customer data," says IBM.

The latter two, however, are worth considering in relation to the difference in breach costs between America and Europe together with the different compliance regulations of the two areas. "In Europe," suggested Keeley, "we've had the EU Data Protection Directive for many years, and now we have the upcoming GDPR. This area has been dealing with very strict data privacy laws for a very long time. We suspect that this is the primary reason for the difference -- because of this ongoing need to be more mature with data protection, it has led to a more efficient and optimized series of response programs in Europe."

IBM does not claim that this is a proven conclusion, but just one worth considering. If it is true, however, it leads to further useful speculation. At one level, it supports the EU's insistence on strict and rigid rules. But it also confirms that security really can work -- breaches may not be preventable, but effective incident response will certainly make them less costly.

There could be other causes, of course. Do Europeans simply spend more on security than their American counterparts, or do they use it more efficiently? This is difficult to answer. The two regions are broadly similar, although the US is considered to be the richer (according to the Federalist Debate, GDP is around 40% higher in the US than in the EU).

Certainly, according to IDC's 2016 Worldwide Revenue for Security Technology Forecast, "the United States will be the largest market for security products throughout the forecast. In 2016, the U.S. is forecast to see $31.5 billion in security-related investments. Western Europe will be the second largest market with revenues of nearly $19.5 billion this year."

It would appear from this that European companies do not spend more on security than America companies -- which leads us back to the idea that strict data privacy laws can spur companies to more efficient data protection. The upcoming GDPR, of course, will affect US companies in ways they were not affected by the existing European laws. 

If the hypothesis that conforming to strict compliance requirements can improve security and reduce breach costs, then over the next few years the cost of a breach in the US might start to decrease in line with Europe. "It's going to be interesting," Keeley told SecurityWeek. "Looking at the processes, procedures and technology within GDPR, there's a lot in there that can really help a company mature their overall data program. We can't predict the future -- but we shall see."

There is, of course, a huge amount of data within the Cost of Breach Study. Usually, it takes readers a considerable amount of time to isolate and analyze the particular information of interest. Here we have looked at just one area: the effect of compliance on the cost of a breach. This year, however, the study is accompanied by an online tool that will help companies delve deeper into different areas of the study: such as the effect of customer churn following a breach, the effect of employing a CISO on costs, and so on.

"This interactive tool," IBM told SecurityWeek, "allows you to explore the data from the report on your own, uncover trends and learn more about the cost of a data breach directly related to specific industries and/or security measures."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.