Organizations often overlook some of the short- and long-term data breach costs.
Every second, 58 data records are stolen or lost. That adds up to nearly 5 million per day. More than 3,200 data compromise cases were reported in 2023, impacting more than 353 million individuals.
Of course, those figures only represent reported data breaches. Many go unreported, and the exposure of data records is often underestimated. In fact, it can take several years to understand the full scope and impact of a data breach. However, the IBM Security and the Ponemon Institute offer insight into data breach costs.
The 2023 Cost of Data Breach Report found that each incident costs $4.45 million on average. That’s a 15.3 percent increase from the 2020 report. The average cost per record is $165, up 13 percent from 2020.
The time required to discover and contain a breach has a major impact on the cost. Breaches that took less than 200 days to find and resolve cost $3.93 million. Those that required more than 200 days cost $4.95 million — a 23 percent difference.
The U.S. has the highest data breach costs at $9.48 million. Healthcare tops the list of industries, with a cost of $10.93 million. The average cost of a healthcare data breach has increased 53.3 percent since 2020.
It All Adds Up
The cost of a data breach does vary according to the size of the victim organization. According to the IBM/Ponemon report, the average cost is $3.31 million for organizations with fewer than 500 employees. Another study found that small to midsize enterprises spend $269,000 on average responding to and recovering from a data breach. Almost half (43 percent) of data breaches involve small businesses.
The total cost of a data breach includes many activities and impacts. The IBM/Ponemon study accounts for investigations, identifying victims, communications and public relations, preparing disclosures and notifications, and other activities that occur immediately after a breach is discovered. Long after a breach, organizations are often on the hook for penalties and fines, consulting services, legal defense and compliance services, staff training, free or discounted services for victims, identity protection services and higher insurance premiums.
Customer churn is one of the biggest costs of a data breach, with the greatest long-term impact. Organizations affected by a data breach inevitably lose customers. Because customer confidence and trust are shaken by a breach, customer acquisition and retention costs go up. One study found that seven in 10 consumers would stop doing business with an organization after a data breach. Two-thirds are worried about their data being compromised, and 62 percent believe the organization holding their data is most responsible for keeping it secure.
Reducing the Impact
Organizations need to follow best practices for preventing a data breach while operating under the assumption that a breach is a matter of “when,” not “if.” Best practices include:
- Perform a risk analysis and assessment of all applications and systems, especially those that house customer data. Consider bringing in an outside consultant to assist with evaluations and implementation of new solutions.
- Identify security and compliance gaps and implement fixes where necessary.
- Encrypt all network traffic and use web filtering to block bad traffic.
- Implement tighter identity management policies and user access controls, such as multifactor authentication.
- Deploy advanced tools such as next-generation firewalls and intrusion prevention and detection systems.
- Secure mobile devices at the device and application levels.
- Create and test an incident response plan that accounts for preparation for a breach; identification, containment and removal of threats; recovery of data and systems; and continuous improvement.
- Train employees on the seriousness of cybersecurity threats such as ransomware and phishing, and what employees can do to prevent a breach.
A qualified managed services provider (MSP) can help organizations develop a comprehensive security strategy. The right partner can implement the systems and processes that reduce the risk and cost of a breach. The MSP can also monitor and manage systems to quickly identify and respond to threats.
