IBM Security: Average Data Breach Costs a Company $3.92M

A new report from IBM Security could be enough to give CISOs everywhere nightmares: the cost of a data breach rose 12% over the past 5 years, and now averages a company $3.92 million in damages, via a combination of multiyear financial impacts, increased regulations and the lengthy process of resolving cyberattacks.

Small and midsize businesses are especially impacted when a data breach occurs, with the report finding that firms with fewer than 500 employees suffering losses of more than $2.5 million on average, a figure that could prove crippling for companies posting less than $50 million in annual revenue.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line — and focus on how they can reduce these costs.”

The report also found that the impct of a data breach is felt for years, with an average of 67% of data breach costs realized within the first year after a breach, 22% accrued in the second year, and 11% accumulated more than two years after the initial breach.

The report — which interviewed more than 500 companies around the world that suffered a breach during the past year — discovered that malicious breaches where the most common (and the most expensive) of breaches discovered, accounting for more than 50% of data breaches in the study, and costing companies $1 million more on average than those originating from other causes. Mega-breaches — or those data breaches involving more than a million records — cost companies approximately $42 million in losses, while those involving 50 million records are projected to cost $388 million.

While data breaches in the U.S. are especially painful (the average cost of a breach in the U.S. was $8.19 million, more than double the average worldwide), the report had some positives: “Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place,” the report read.

And inadvertent breaches (caused by human error and system glitches) offer lessons to be learned and an opportunity for improvement, via a combination of security awareness training for staff, technology investments, and testing services to identify breaches early on.