Almost every week a brand owner discloses that a data breach has occurred. As trademark professionals and ambassadors of our organization's and client's brands, the effect of a data breach goes far beyond the concrete costs and resources in dealing with the breach.
Studies have shown and common sense supports that a data breach can cause substantial damage to brand value due to harm to the goodwill in a brand and loss of consumer trust. Thus, data breaches are not just a data privacy concern; rather, it is a concern of all stakeholders and especially those that protect the goodwill of brands.
Data breaches impact global brand owners as well as mid and small size organizations. They draw media attention which results in unwanted public exposure especially in cases where customer personal data is disclosed. Additionally, data breaches can diminish the value of a company, impact stock performance, and can directly result in a lower purchase price for an acquisition.
This alert is intended to summarize the research conducted by IBM and the Ponemon Institute in their 2018 Cost of a Data Breach Study and in particular we will highlight factors that mitigate damage after a data breach and those that increase damage after a data breach. See chart here.
The full report can be found here: 2018 Cost of Data Breach Study
Main Takeaways on Mitigating the Cost of a Data Breach
The study indicated that the average total cost of a data breach is US$3.86 million and that the average cost per lost or stolen record is US$148, which demonstrates a considerable increase in relation to the 2017 report averages.
While obviously it is best to avoid a data breach all together, if (and likely when) one occurs, there are concrete steps a company can take to preserve customer trust and mitigate the loss of brand value.
- The existence of a Chief Privacy Officer or Chief Information Security officer who is responsible for managing customer trust initiatives reduces customer loss after a data breach
- Offering post-breach identity protection helps to reduce customer loss, in return reducing the cost of a breach
The study also showed a significant correlation between the speed of response to a data breach and the cost to a company.
- The faster a data breach can be contained, the lower the cost; however, a rush to notify customers without fully understanding the situation increases the cost of a breach.
- The existence of an incident response team was shown to reduce the cost of a data breach by as much as $14 per compromised record, as compared to the average total cost per record of $148.
- The extensive use of encryption within an organization can also lead to decreased costs.
- In contrast, if a third party caused the breach, the cost per record increased.
- Finally, companies should be taking protections to validate the security of their third party partners, while also proactively designating and training internal resources as part of an incident response team. Further, effective management of detection and escalation can significantly affect the cost of a data breach:Pre-breach Business Continuity Management reduces the cost of a data breach. Companies should be taking steps to proactively identify disaster recovery, business recovery, and crisis management plans.The existence of defined resources and plans can lead to quicker containment and lower costs.Engagement of consultants to assist with post-breach remediation was shown to the cost of a breach. The existence of insurance protection was shown to decrease the cost incurred from a data breach. Today, there are several companies offering cyberinsurance. In 2018, for instance, three million cyberinsurance policies were in force.
Data Breach Cost By the Numbers
- The average cost of a data breach increased 6.4% between 2017 and 2018.
- The average cost of a stolen record increased 4.8%.
- The average size of a breach increased 2.2%.
- South Africa was reported to have the highest probability of a data breach (43%).
- Germany was reported to have the lowest probability of a data breach (14.3%).
- Financial Services, Services, and Industrial Manufacturing industries experienced the highest frequency of data breaches
- The Health ($408) and Financial sectors ($206) had the highest per capita data breach costs
- 48% of data breaches were caused by malicious or criminal attacks
In addition to the research conducted by IBM and the Ponemon Institute, a recent released report from Verizon ("Verizon 2019 Data Breach Investigation Report"), which tracked 41,686 security incidents around the world, including more than 2,000 data breaches from 86 countries and 73 various data sources, add the following complementary information:
- The Verizon report confirmed the importance of being prepare to respond to a security incident before the attack takes place, especially considering that discovery and containment of a successful breach usually take months.
- The breaches by state actors are on the rise, while breaches by organized crimes group are falling, what may suggest an increase in attackers' sophistication and an improvement of the resources and methods applied.
- Even though approximately a third of all breaches still involve phishing, the effectiveness of phishing attempts seem to be in decline because the click rate on phishing links has lessened and employees are increasingly aware of the need of quickly reporting when they accidentally click on a phishing link.
- Ransomware attacks continue to be a serious threat to all industries, accounting for roughly a quarter of all security incidents in 2018.
- Small business accounted for 43 percent of all data breaches, with public sector entities (15 percent), healthcare organizations (15 percent), and financial services companies (10 percent) also experiencing a significant number of attacks.
- Hacking, malware, and social media are the most common threat actions used to carry out attacks.
The full report can be found here: (Link to the Verizon Study)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.