Year after year, the Ponemon Cost of Data Breach Study reports that breach costs have gone up and, once again, with the 2016 report such is the case. The average cost of a data breach is now $4 million, up from the $3.8 million in the 2015 report, according to this year's study, which was sponsored by IBM.
The average cost per lost or stolen record as reported in the 2016 report is $158, up from $154 in the 2015 report and $145 in the 2014 study. The average cost of a stolen or lost record varies by industry, with lost or stolen health care records worth $355, a record in 2016. Looking at the root causes of data breaches, the study found that 48 percent of data breaches were the result of malicious attacks to an organization. The report also found that the average time to identify a breach now stands at 201 days.
"The big takeaway from the report this year though is that there are things organizations can do to reduce costs," Diana Kelley, executive security advisor at IBM Security, told eWEEK.
Extensive use of encryption, for example, reduces the cost of a data breach by an average of $14 a record. Even more impressive though is that having an incident response team in place reduces the cost of a data breach by $16 a record.
Somewhat coincidentally, IBM acquired incident response management firm Resilient Systems in February. That said, Kelley emphasized that IBM has had incident response services for several years and the cost of data breach study has been asking questions about organizations' use of incident response for multiple years as well.
"We have been seeing from different data and from our customers that incident response is increasingly important," Kelley said. "So we responded to that need by improving our own incident response capabilities on the services side, and we improved our story on the software side by acquiring Resilient."
As to why data breaches become more expensive year-over-year, Kelley noted that customer churn and the cost of retaining customers are challenges. Add to that the fact that legal costs associated with breaches are rising as well. Forty-seven states in the United States have separate breach notification laws, she said. Additionally, the average cost of a legal settlement after a breach in the U.S. now stands at $880,000.
Looking forward, Kelley said training can be a key driver in helping to reduce the risks of breaches.
"Some will say that you just can't train people to not be idiots, but I don't believe that," she said. "I generally believe that the more aware we are about security, the better we all are."
Employee training will reduce the cost of a data breach by approximately $9 a record, this year's study found. In Kelley's view, as more employees are trained, the value of training will rise, further lowering the cost of data breaches.
In February, IBM published a report on securing the C-suite, detailing executives' security confidence and the reality of security response capabilities. There is a connection between executives and the cost of a data breach, and Kelley is hopeful that the connection isn't that business leaders are just simply afraid of the increasing costs.
"Fear very rarely helps us to do anything, so I'm hoping that C-suite executives will understand what's going on here with the cost of a data breach, instead of being afraid," she said.
Kelley's hope is that the big takeaway from this new report will be that there are tangible things executives can do to help their companies lower breach costs.
"There are actions that have been quantifiably proven out that will reduce the likelihood of a breach or, at the very least, the cost of a breach," Kelley said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.