We recently released the 2016 Cost of Data Breach report in partnership with IBM Security. Every year, we report on the findings from our survey of organizations on a worldwide basis, this year in 12 different countries, 383 companies across 16 industries.
Our goal in this annual research is to help people understand the costs associated with data breach incidents. Over the many years studying the data breach experience of more than 2,000 organizations in every industry, the research has revealed the following seven megatrends.
7 global megatrends in the costs of data breaches research
- Since first conducting this research, data breaches are now a consistent cost of doing business in the cybercrime era. The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.
- The biggest financial consequence to organizations that experienced a data breach is lost business. Following a data breach, organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.
- Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain. As a result, they have the highest cost per record.
- Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve. Over the years, detection and escalation costs in our research have increased. This suggests investments are being made in technologies and in-house expertise to reduce the time to detect and contain.
- Regulated industries, such as healthcare and financial services, have the most costly data breaches because of fines and the higher than average rate of lost business and customers.
- Improvements in data governance programs will reduce the cost of data breach. Incident response plans, appointment of a CISO, employee training and awareness programs and a business continuity management strategy continue to result in cost savings.
- Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. This year’s study revealed a reduction in the cost when companies participated in threat sharing and deployed data loss prevention technologies.
We recommend the following six activities companies can pursue in order to improve the effectiveness of their data breach preparedness plans.
- Analyze the costs of previous data breaches in order to minimize the financial consequences of future incidents.
- Review crisis management plans to determine what needs to be improved in order to address adverse publicity and media coverage following a data breach.
- Include a strategy to minimize the consequences of the theft of business confidential information and intellectual property in data breach response plans.
- Include a strategy to maintain the trust of customers, business partners and other key stakeholders in data breach response plans.
- Require audits of third parties to ensure their security procedures are sufficient to safeguard sensitive or confidential information.
- Conduct more fire drills to practice data breach preparedness and regularly review the content of employee data breach and awareness plans to reflect threats to sensitive and confidential information.
Based on our research it seems that while more companies have response plans, they are not addressing the most severe consequences of a data breach such as loss of trust, reputation and the cost of these incidents. Data breaches are a challenge for all organizations. We hope understanding the trends and applying pragmatic solutions will reduce the consequences of a security incident.
