By: Josh Mooney and Michael Jervis
The Ponemon Institute has released a recent report concluding, among other things, that the cost to a company suffering a data breach in the U.S. has risen eight percent year-on-year from 2017. The total cost of the average breach has reached a staggering $8 million. Perhaps more important, however, is the report’s conclusion that organizations which took proactive measures drastically reduced the cost of a breach. Not surprisingly, costs of a breach were the highest in the U.S. compared to other jurisdictions. Also not surprising is that organizations in the healthcare industry generally suffer higher costs than other organizations—three times higher than the average cost. Information used to compile the report came from interviews with over 2,000 IT and data protection professionals.
The report mapped out the costs savings achieved by taking one or more of over a dozen proactive measures to prepare for the inevitability of a breach. The most effective cost-saving measure was having an incident response team in place. Other top measures include ensuring extensive use of encryption technology, having business continuity management in place and employee training. Obtaining insurance against cyber events was another important cost-saving measure.
Consistent with the findings that having an incident response team and business continuity management in place offered significant cost savings, the report overall found the biggest indicator of how much a data breach response would cost would be the time it takes to identify and contain the breach. In a sample of just under 500 companies, the average time it took to simply identify that a breach had occurred was 197 days, i.e. more than six months. Even after a breach was identified, the average organization took 69 days to contain the breach. However, companies that identified a breach in less than 100 days and/or contained it in less than 30 days on average saved more than $1 million over those companies that did not act within those time frames. On the other hand, compliance failures constituted one of the three most expressive mistakes a company could make, adding about $12 in costs per data record compromised.
The key lesson—don’t wait for a breach to occur. An important corollary revealed by the report’s findings is that it is not the just IT department that needs to be regularly preparing for a breach. It is no surprise that measures like use of secure encryption and other technology measures are important factors in preparing for and responding to a breach, and keep costs down when one occurs. Though, as the report shows, ensuring preparedness to comply with regulatory requirements and having a response team to wrangle with business and legal concerns is just as important. Hiring counsel now to help prepare a plan respond to an incident, contain it, guide the investigation, and comply with notification laws and other regulations can result in significant costs savings when a breach inevitably occurs.