U.S. business experienced a good news-bad news scenario when dealing with cybersecurity in 2017. Increased mobile use and malicious hackers helped the cost of data breaches reach a record level among U.S. companies last year, even as businesses acted faster to contain them and learned how to handle them, according to the “2017 Cost of Data Breach Study” from the Ponemon Institute and sponsored by IBM.
The average records breach in 2017 cost $7.35 million, topping the record set in 2011, according to Ponemon’s annual survey of businesses. The cost per record also rose to $225 per record lost or compromised, according to the study.
“The time to identify and the time to contain a data breach is decreasing globally, which is a good fact,” said Larry Ponemon, founder of the institute. But, he warned, “we don’t operate in a vacuum and there are other factors.”
The increased severity of the attacks might actually be increasing costs to organizations said Ponemon. The WannaCry ransomware attack last year, alone, is believed to have cost more than $4 billion globally by some estimates.
Malicious hacks were the most common reason for breaches, accounting for 52%, more than twice the rate of system glitches—including IT and business-process fails—or employee negligence, which were each responsible for 24% of breaches. Malicious attacks are costlier, $244 per record, compared with $209 for glitches and $200 for human error, on average.
Some good news
But the study found that companies are becoming better at dealing with data breaches. Organizations cut back the average time to identify a data breach to 191 days, down from 201 in 2016; the time needed to contain a breach dropped to 66 days, from 70 in 2016. The report attributed the improvement to investments in technology, such as security analytics, SIEM, enterprise-wide encryption, and threat intelligence sharing platforms.
However, the study found security investments themselves are raising the costs of breaches. Detection and escalation costs increased by 47%, to $1.07 million on average, while notification costs increased to $0.69 million, from $0.59 million. Additionally, the costs to reputation from breaches and customer churn are increasing, according to the study.
Consumers are increasingly distrustful of companies that can’t protect their data, said Ponemon. The churn can even be underestimated, as clients reorganize multiple providers, shifting their prime vendor to second place after a breach, or if they affect a customer organization, such as a government agency, where there is limited choice.
“If you’re a veteran you can’t say ‘I want another VA,’” said Ponemon, but he added: “People still lose confidence.”
Lost business cost from churn and new customer-acquisition activities to stem it, shot up to $4.03 million per breach, from $3.32 in 2016, but other post-breach costs were lower, such as legal expenditures, help-desk activities, and special investigations; they dropped to $1.56 million, on average, from $1.72 million in 2016.
The study factored in four new variables to the costs of breaches: compliance failures, the use of mobile tools, the appointment of Chief Privacy Officers (CPO), and use of security analytics. The use of security analytics reduced the per-record cost of a data breach by $7.7, and the appointment of a CPO reduced the cost by $4.3. However, extensive use of mobile platforms at the time of the breach increased the cost by $6.5 and compliance failures increased the cost by $19.3.
The study noted that, while appointing a CPO (chief privacy officer) and using data analytics reduced the average breach cost, the use of mobile and increased compliance failures stepped up the cost.
“There is definitely a relationship,” said Ponemon. Companies that have a fully dedicated CPO function have a lower cost of compliance failure, while bring-your-own-device [BYOD] policies work in the inverse, he said.
“A company that has BYOD has potentially higher non-compliance issues,” he said “The end user has more control of the compliance issue.”
The survey also found a decrease in post-breach costs, such as special investigations and help-desk activities. This was another good news-bad news case, noted Ponemon: “Unfortunately, organizations that have suffered one or two data breaches are learning how to respond.”
Organizations that have endured breaches or hacker exploits have created infrastructures that include incident response teams and learned the right response for regulators and other stakeholders, said Ponemon.
“It’s a shame that they have to deal with data breaches over and other again,” he said “but we see organizations doing a better job in that regard.”