[BreachExchange] Data breaches can haunt firms for years

Thu Jul 25 10:06:22 EDT 2019

https://www.welivesecurity.com/2019/07/24/data-breach-cost-fallout/

The average cost of a data breach has risen 12% over the past five
years to US$3.92 million globally, according to IBM’s 2019 Cost of a
Data Breach study, which drew on input from more than 500 companies
around the world that suffered a breach over the past year.

The rising financial impact was attributed to a trio of factors – the
multi-year financial fallout from breaches, increased regulation, and
the complexity of resolving criminal attacks.

The report comes at a time when several companies are facing the
prospects of hefty bills for massive cyber-incidents. This includes
Equifax in the United States and British Airways and Marriot Starwood
in the United Kingdom.

For the first time this year, the study from IBM Security and Ponemon
Institute also looked at the ‘long tail’ financial impacts of
breaches. It found that while the compromised firm typically bears the
financial brunt of the incident within the first year after it occurs,
by no means is it ‘out of the woods’ so soon.

“While an average of 67% of data breach costs were realized within the
first year after a breach, 22% accrued in the second year and another
11% accumulated more than two years after a breach. The long tail
costs were higher in the second and third years for organizations in
highly-regulated environments, such as healthcare, financial services,
energy and pharmaceuticals,” reads the press release.

Among other findings, the report highlighted that in a number of
‘scenarios’ the financial consequences can climb even higher.

First, the incidents tend to be costlier for firms that suffered
breaches at the hands of malicious actors, as opposed to incidents
caused by human or system errors. Malicious breaches didn’t only
account for more than one-half of the incidents under review, but they
also cost an extra US$1 million than the inadvertent breaches (US$4.45
million versus US$3.5 million).

In addition, for firms based in the US, the average cost of a breach
climbed all the way to US$8.19 million, having risen by 130% over the
past 14 years.

Typically, breaches weigh particularly heavily on healthcare
organizations, which recorded the highest cost of (US$6.5 million) and
topped the list for the ninth year in a row.

Regardless of the industry, however, a data breach can be downright
devastating for a small and even mid-sized business. The study found
that companies with fewer than 500 employees suffered losses of more
than US$2.5 million on average. To put that into perspective, small
businesses typically earn $50 million or less in annual revenue.

The average life cycle of a breach was 279 days. More precisely, on
average it took companies 206 days to spot and another 73 days to
contain the incident. When it comes to only malicious breaches, it
took even longer – 314 days.

“Companies in the study who were able to detect and contain a breach
in less than 200 days spent US$1.2 million less on the total cost of a
breach,” according to the report. It outlined a slew of more factors
that influenced the financial fallout, including the number of data
records lost, whether the breach originated from a third party, and
whether the company made extensive use of encryption.

In her excellent article last year, ESET security researcher Lysa
Myers outlined how preparing for the worst can actually help firms
avoid falling victim to such incidents in the first place.