IE 11 is not supported. For an optimal experience visit our site on another browser.

The total cost of a data breach — including lost business — keeps growing

“Failure to respond urgently, transparently, and with empathy can result in a near extinction-level event."

The financial damage caused by a data breach has spiked by more than 6 percent since last year and now costs companies an average of $3.86 million each, according to a new study.

Aside from expensive technical investigations and regulatory filings, a breach also includes hidden costs such as lost business, negative impact on reputation, and employee time spent on recovery, according to a new report by the Ponemon Institute.

The 2018 Cost of Data Breach Study, sponsored by IBM Security, found that the average cost for each lost record rose from $141 to $148, an increase of nearly 5 percent. Healthcare organizations had the highest costs associated with a lost or stolen record, at $408 — three times higher than average.

For the first time, this year’s study calculated the costs of a mega breach. IBM says there were 16 mega breaches last year, as compared to just nine in 2013. Not surprisingly, the bigger the breach, the higher the cost. The Ponemon Institute’s analysis of 11 mega breaches found:

  • The average cost of a breach involving 1 million records was nearly $40 million dollars.
  • The cost of a breach totaling 50 million records was estimated to be $350 million.
  • The average time to detect and contain a mega breach was 365 days — 99 days longer than a smaller breach (266 days).
  • Nearly all of these breaches (10 out of 11) resulted from malicious or criminal attacks, not system glitches or human error.

One company’s story

NBC News arranged with the Ponemon Institute to interview the Chief Information Security Officer at a large U.S. bank about the company’s recent breach. The executive agreed to the anonymous interview with Larry Ponemon, the institute’s founder and CEO, as long as NBC News was not told the name of the bank.

Roughly 40,000 customer records were compromised in the breach, which resulted from a spear-phishing attack on the bank’s IT help desk. It took 185 days to discover the breach and 59 days to contain it. The estimated cost to the bank is expected to exceed $7 million. Spear-phishing involves targeting a specific person within an organization with email that appears to be from a known or trusted sender in order to trick that person into revealing confidential information.

“Another negative impact was diminished trust of customers, business partners, and regulators,” the banker told Ponemon. “Even though this was not our first data breach, I was surprised to see just how easy it was for the attackers to seize the identity of privileged users. The theft of valid credentials allowed them to bypass perimeter defenses and hunt for vulnerabilities.”

Because of the new intrusion, the bank implemented an employee training program on data protection and phishing attacks. It’s now exploring the possibility of adding automation tools and artificial intelligence to its security toolkit. When asked to share the lessons learned from this breach, the banker told Ponemon: “Preparedness is the key to a successful response to a data breach. While it is impossible to prevent all data leakage and data theft, it is clear that a strong incident response team can significantly reduce the ‘pain’ associated with data breach issues.”

Why do U.S. companies take a bigger financial hit?

Breaches are a global problem. The financial fallout from a breach varies by country. U.S. companies experienced the highest average cost ($7.9 million) followed by Middle Eastern firms ($5.3 million). The lowest total cost was in Brazil ($1.2) and India ($1.7 million).

American consumers often “vote with their feet” and often stop doing business with a company that’s suffered a breach, Ponemon told NBC News. “A lot of people do care about the privacy of their information and they want organizations to be more proactive in managing that information, so this loss of trust does translate into a much higher cost.”

The U.S. also has a fragmented regulatory approach to breach notification.

“There are 49 different disclosure laws in the U.S. right now and they’re all different,” said Caleb Barlow, vice president of threat intelligence at IBM Security. “What you do in Arkansas is going to be completely different from what you do in Massachusetts and that can ratchet up the cost quite significantly.”

What the professionals are saying

To prepare this report, the Ponemon Institute interviewed more than 2,000 IT, data protection, and compliance professionals from 477 companies in 15 countries that experienced a data breach over the past 12 months.

The Institute provided NBC News with some of the comments from those interviews.

“The [data breach] incident was much worse than expected. It took a thousand hours for the [forensic] consultants to reveal the true identity and methods of the hackers,” an associate general counsel of a US Transportation firm told Ponemon.

“The true cost of the data breach was much higher than what we projected. One of the most expensive elements is the economic impact of the incident on business and IT performance,” said a senior security analyst with a U.S. energy company.

“When we first learned [about] the data breach, we were in a state of disbelief. Fortunately, we had training that helped us to know the steps needed to mitigate damages to our company’s brand and reputation,” a chief privacy officer at a U.S. pharmaceutical company said.

Time is money

“Don’t think for a moment that your organization isn’t that interesting to a hacker because no company is too small, too unimportant or too irrelevant to be a target,” said digital security expert Adam Levin, author of the book “Swiped” and founder of CyberScout, a company that helps businesses prepare for and deal with breaches. “Think Game of Thrones: A breach is coming. You must have a plan — and a few dragons.”

These days, companies will be judged by both how they protect data and how they respond to a breach, Levin told NBC News.

“Failure to respond urgently, transparently, and with empathy can result in a near extinction-level event,” he said.

Companies are judged by both how they protect data and how they respond to a breach: “Failure to respond urgently, transparently, and with empathy can result in a near extinction-level event."

The quicker a breach can be dealt with, the lower the cost to repair the damage. Companies that contained a breach in less than 30 days saved more than $1 million, on average, compared to those that took more than 30 days ($3.1 million vs. $4.3 million in total costs). The key cost saver was having an incident response team ready to act, the study found.

Automated security tools that use artificial intelligence (AI) can also cut the cost. Organizations that had deployed AI security technologies saved more than $1.5 million on the total cost of their breach.

“Organizations can take steps that will significantly reduce the overall cost of a data breach,” Ponemon told NBC News. “Things like having an incident response team, having the right governance process in place, having enabling technologies. All of these basic blocking and tracking activities makes a difference in terms of cost.”

IBM Security’s Barlow advises companies to practice being breached on a quarterly basis.

“This is not something you want to try to learn once the worst happens,” he said.

Herb Weisbaum is The ConsumerMan. Follow him on Facebook and Twitter or visit The ConsumerMan website.