IBM Pegs Mega Breach Cost at $350M, as Average Breach Cost Hits $3.9M

The 2018 Cost of a Data Breach Study found that costs have risen in the past year as attacks become increasingly complex.

IBM data breach cost calculator 2018

The cost of data breaches has increased over the past year, according to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute and sponsored by IBM, which was released on July 11.

The new report found that the average cost of a data breach is now $3.86 million, which is a 6.4 percent increase over the figure reported in 2017. The $3.86 million figure is the total average cost of data breaches from an analysis of 477 companies around the world.

The general sample does not include mega breaches, in which between 1 million and 50 million records are stolen. Mega breaches had much higher costs, ranging from $40 million to $350 million. The study's figures for mega breaches, however, do not include costs for the Equifax breach, which occurred at the end of 2017.

"The Equifax data breach would be considered an outlier for our general sample of 477 companies, which is bound by 100,000 compromised records," Larry Ponemon, chairman and founder of Ponemon Institute, told eWEEK.

For the mega breach component, Ponemon looked at 11 mega breaches that occurred in the past year. He noted that, given that the mega breach analysis included only breaches of up to 50 million compromised records and the Equifax breach reportedly affected around 150 million people, the total costs of mega breaches victims experienced would presumably be much higher than the costs found in the study.

For the regular data breaches, the fact that costs rose again is not seen as a surprise by IBM.

"The fact that the global cost of a data breach rose this year is no surprise, since this figure has risen fairly consistently each year of the report, with the exception of 2017, which was an outlier," Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS), told eWEEK. "In 2017 we saw the global cost of a data breach decline slightly, though the bulk of that decline was in certain European countries, and many regions still saw increased costs last year."

Whitmore added that from IBM's work with clients, her group has found that data breaches are becoming more advanced and complex, which increases the time to resolve and therefore the total cost of a breach. As such, she noted the fact that costs rose this year is aligned with what IBM is seeing in the field.

Time to Detection

The 2018 Cost of a Data Breach Study found that the average time it takes to identify a data breach was 197 days, up from 191 days in 2017. The time it takes to contain a breach rose to 69 days, up from 66 in the 2017 report. Once again, the report found a correlation between lower costs and those organizations that quickly detected breaches. According to the report, organizations that contained data breaches inside of 30 days spent over a million dollars less on data breach-related costs than organizations that took more than 30 days.

"The amount of time it takes to resolve an incident ultimately depends on the scale and complexity of a breach," Whitmore said. "For breaches conducted by highly skilled attackers, our analysis often identifies that the initial attack began months ago."

Whitmore added that IBM X-Force IRIS clients tend to have a more mature security posture overall, including proactive detection as well as immediate response capabilities, so often the total response time that IBM sees with clients is much lower than the average reported in the study. 

Data Breach Costs

One area of the report that was particularly interesting for the IBM IRIS team was examining the various cost centers contributing to the total cost of a breach, according to Whitmore. One of the costs identified in the report is lost business, which contributed to the total cost in different regions, especially the United States.

"This is something that organizations don't often consider, as they are focused on the direct costs such as investigation, technology and remediation costs," she said. "Given that the cost of lost business accounts for around a third of the total cost, companies need to consider the fact that how they respond will have a big impact in terms of their overall business revenue." 

The report found that the use of artificial intelligence (AI) technologies reduces the cost of a data breach by approximately $8 per lost or stolen record. Making use of AI is an approach that IBM endorses and is already using in its cyber-security practice.

"One big step we are implementing across our IBM Security Services is having our analysts use a new technology platform which uses various machine learning tools and customized AI algorithms to help streamline and automate certain parts of the response process," Whitmore said.

For instance, she said that AI tools can automatically weed out duplicate events and false positives for analysts, enabling them to focus their time on threats that need additional analysis, or take automated actions like implementing a virtual quarantine on affected endpoints. The IBM platform also uses AI to analyze historical response cases to predict and recommend responses for new events with a similar profile. 

"Also, our analysts can take advantage of data from AI tools being used in client security operation centers, such as Watson for Cyber Security," Whitmore said. "This extra data can help speed the response process and point our analysts in the right direction to begin the investigation."

Looking forward, Whitmore doesn't expect the costs of data breaches to decrease in the coming year. Rather, she expects that costs will continue to rise.

"Given GDPR [the European Union’s General Data Protection Regulation] going into effect, I think we can expect to see increased costs related to notification both in Europe and globally, as companies adjust to these new notification requirements," she said. "This year we've also seen a lot of consumer attention and concern around data privacy and security, so the cost of lost business and customer turnover may also increase as people are becoming less willing to do business with organizations that they don't trust to protect their data."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.