The cost of "mega" data breaches, where the number of lost record is over one million, can be as much as US$ 350 million (£264 million), according to a new study from IBM Security.
The research, carried out by Ponemon Institute, on behalf of IBM Security, found that the average cost of a data breach globally is US$ 3.86 million (£2.91 million), a 6.4 per cent increase from a similar report carried out last year.
The 2018 Cost of a Data Breach Study interviewed nearly 500 companies that experienced a data breach, the study analysed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.
The study also calculated the costs associated "mega breaches" ranging from one million to 50 million records lost and projected that these breaches cost companies between US$ 40 million (£30 million) and US$ 350 million (£264 million) respectively.
The research found that the amount of mega breaches (breaches of more than one million records) has nearly doubled - from just nine mega breaches in 2013, to 16 mega breaches in 2017.
When analysis of 11 companies experiencing a mega breach over the past two years was carried out, it found that the vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error). It added that the average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).
For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly US$ 118 million (£89 million) for breaches of 50 million records – almost a third of the total cost of a breach this size. IBM analysed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study. This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers, it said.
The study also looked at factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.
The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days. Companies who contained a breach in less than 30 days saved over US$ 1 million (£755,052) compared to those that took more than 30 days (US$ 3.09 million (£2.33 million) vs. US$ 4.25 million (£3.2 million) average total).
In the UK, the research found that £2.69 million was the average total cost of a breach, an 8.1 per cent increase from the prior year. In addition, £108 per capita cost per lost or stolen record, a 9.7 per cent increase from the prior year.
"While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified" said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS).
"The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake."
Ilia Kolochenko, CEO of High-Tech Bridge, told SC Media UK that organisations need to build a comprehensive and up to date inventory of all their digital assets: software, hardware, users, data and licenses.
"Then assess and prioritise the risks and threats to these assets. Once done, a risk-based cyber-security roadmap should be launched and continuously measured. Speaking about particular technologies, I’d certainly emphasise continuous security monitoring, anomaly detection, strong authentication and role-based access control with four-eyes principle," he said.
Javvad Malik, security advocate at AlienVault, told SC Media UK that the cost of a breach will vary greatly depending on how quickly a company can detect a breach, and how mature and well-tested its response and recovery processes are.
"Orchestration and automation can also play a big part in speedy response, for example, by automatically and quickly taking an infected machine off the network, or rapidly blocking any c&c traffic," he said. "Organisations can minimise the damage caused by breaches by properly identifying critical assets up front, knowing where vulnerabilities are, and segmenting as well as having more rigorous monitoring controls."