Hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage, according to a new study by IBM. The study found that one-third of the cost of “mega breaches” (over 1 million lost records) were derived from lost business.
According to the study, which was based on interviews with approximately 500 companies, the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from a 2017 report on the subject.
The study also calculated the costs associated with “mega breaches” ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million respectively.
“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS).
“The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”
For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size, the study stated.
IBM said it analyzed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study. This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers, the study stated.
The report also examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation.)