Cyber Measures Starting to Pay Off

A study found that the average cost of a data breach was still high, at $3.6 million, but had declined 10% since 2016.

Organizations pay a hefty price for a data breach, but the cost, for the first time, has dropped, a 2017 IBM Security study conducted by the Ponemon Institute has found. The study, which interviewed more than 1,900 individuals at 419 organizations in 11 countries, found the average cost of a data breach is $3.6 million—a 10% decrease from IBM Security’s 2016 study. Incidents with fewer than 10,000 records compromised cost, on average, $1.9 million, and incidents with more than 50,000 compromised records cost, on average, $6.3 million. Incident costs in the 2016 study averaged $2.1 million for the smaller breaches and $6.7 million for the larger ones. See also: How to Measure Data Breach Costs?   I was pleasantly surprised to see this was the first year in the history of the study that the global cost of a data breach has declined,” says Diana Kelley, IBM Security’s global executive security adviser. The Ponemon Institute has tracked the cost of U.S. data breaches for 12 years and other countries’ breaches for as long as 10 years. This year’s decrease, Kelley says, “may be an indication that the expertise and processes being put in place to optimize security measures are more effective than ever before.” What’s working The new study found that incident response, encryption and education had the most impact—and business continuity programs also helped—in reducing the cost of a data breach. The faster a data breach can be identified and contained, the lower the costs, the study revealed. For the 419 companies in the study, the average time to identify a data breach was 191 days, and the average time to contain a breach was 66 days. The average time to identify and contain a breach was highest when a malicious or criminal attack was involved. People, not glitches, cause most problems Successfully responding to a breach is all about speed and limiting the window of access and damage to an organization’s IT environment and data,” Kelley says. “The more quickly a security team can identify what has happened, what the attacker has access to and how to contain and remove their access, the more successful they will be in keeping costs down.” Hackers and criminal insiders cause the most data breaches. The study found that 47% of all breaches were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $156. In comparison, system glitches were resolved at an average cost of $128 per record, and human error or negligence breaches were fixed for $126 per record. Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack. U.S. organizations spent, on average, $244 per record, and those in Canada spent $201 per record. In comparison, companies in India spent much less—$78 per record. A single record compromised, of course, would be a manageable expense, but organizations with data breaches usually are faced with hundreds to thousands of compromised records. The numbers add up quickly when you consider all the resources and elements affected by an attack,” Kelley says. “Detection and escalation costs alone can include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and the board of directors.” See also: Aggressive Regulation on Data Breaches   The bill “continues to rise,” she says, with the cost of notifying victims, help-desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions. For some small- or medium-size companies,” Kelley says, “a data breach could cost them their business if not effectively addressed.” This article originally appeared on It was written by Gary Stoller.

Byron Acohido

Profile picture for user byronacohido

Byron Acohido

Byron Acohido is a business journalist who has been writing about cybersecurity and privacy since 2004, and currently blogs at


Read More