Data breaches detection, escalation costs highest in Canada: global IBM/Ponemon report

Detection and escalation costs related to data breaches were the highest in Canada and lowest in India, note findings of a new global survey released Wednesday.

“The average detection and escalation costs for Canada was US$1.60. In contrast, the average costs were US$0.53,” states 2016 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM and conducted by Ponemon Institute LLC.

“Data breach costs associated with detection and escalation are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and Board of Directors,” notes the report.

Report findings reflect responses from 383 companies in the United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia), Canada and South Africa. All participating organizations experienced a data breach ranging from approximately 3,000 to slightly more than 101,500 compromised records, defined as one that identifies the individual whose information has been lost or stolen.

Overall, the average total cost of a data breach for participating companies increased from US$3.79 million to US$4 million, the report states. As well, per capita or record cost increased 2.9%, the average size of the data breach (number of records lost or stolen) rose 3.2%, and abnormal churn (the greater than expected loss of customers in the normal course of business) grew 2.9%.

The average cost paid for each lost or stolen record containing sensitive and confidential information increased from US$154 in the 2015 report to US$158 in the 2016 report.

Looking at specific countries, the top average per capita cost of data breach over three years was US$201, US$217 and US$201 for the U.S; US$194, US$211 and US$213 for Germany; and US$189 and US$211 (last two years) for Canada.

While the cost of data breach varies by industry, healthcare organizations had an average cost of US$355 and education had an average cost of US$246. The lowest average cost per lost of stolen record was in transportation (US$129), research (US$112) and the public sector (US$80).

Data breaches cost the most in the U.S. and Germany and the least in Brazil and India, states the report, while the average total organizational cost in the U.S. was US$7.01 million and US$5.01 million in Germany.

Indicators are that data breach occurrences will continue. The likelihood of a company having one or more such occurrences in the next 24 months is estimated at a 26% probability, with the breach involving 10,000 lost or stolen records, the report points out.

Organizations most likely to see a material data breach are in Brazil and South Africa, while those in Germany and Australia are least likely, the report adds.

Looking at who caused the largest portion of data breaches, that dubious distinction falls to hackers and criminal insiders. Overall, 48% of all breaches in the latest study results were caused by malicious or criminal attacks, 25% were caused by negligent employees or contractors (human factor) and 27% involve system glitches that includes both IT and business process failures.

The average cost per record to resolve being US$170 compared to US$138 per record for system glitches and US$133 per record for human error or negligence.

Canada held a distinction in this respect. “Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack (US$236 and US$230 per record, respectively),” the report states.

Malicious or criminal attacks, again, vary significantly by country. In Canada, 54% of all breaches were due to hackers and criminal insiders, while 21% were the result of a system glitch and 25% from human error. The per capita cost by root cause for Canada was US$230 for malicious or criminal attack, US$189 for system glitch and US$186 for human error.

The more records lost, the report notes, the higher the cost of the data breach. In the 2016 report, the cost ranged from US$2.1 million for a loss of less than 10,000 records to US$6.7 million for more than 50,000 lost or stolen records.

For the second year, the study shows the “relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Both the time to identify and time to contain was highest for malicious and criminal attacks (229 and 82 days, respectively) and much lower for data breaches caused by human error (162 and 59 days, respectively).

The company’s study of data breach experience of 2,013 organizations in every industry over the years reveals the following seven megatrends:

• the cost of a data breach has not fluctuated significantly, suggesting it is a permanent cost that organizations must be prepared to deal with and incorporate in their data protection strategies;
• the biggest financial consequence to organizations that experienced a data breach is lost business, meaning organizations having a breach need to take steps to retain customers’ trust to reduce the long-term financial impact;
• most data breaches continue to be caused by criminal and malicious attacks, which take the most time to detect and contain, resulting in the highest cost per record;
• over the years, detection and escalation costs in the research have increased, suggesting that investments are being made in technologies and in-house expertise to reduce the time to detect and contain;
• regulated industries, such as healthcare and financial services, have the most costly data breaches because of fines and the higher-than-average rate of lost business and customers;
• improvements in data governance programs will reduce the cost of data breach, with incident response plans, appointment of a chief information security officer, employee training and awareness programs, and a business continuity management strategy resulting in cost savings; and
• investments in data loss prevention controls and activities are important, with 2016 results showing lower cost when companies took part in threat sharing and deployed data loss prevention technologies.

“Incident response teams and extensive use of encryption decreased the cost of data breach,” the report states. “An incident response team reduced the cost of data breach by US$16 per record, from US$158 to US$142. In contrast, data breaches caused by third-party involvement resulted in an increase of US$14, from US$158 to US$172 per record,” it continues.

The loss of customers increased the cost of data breach, the report points out. “Certain countries had more problems retaining customers following a data breach and, therefore, had higher costs,” the report adds.

Other survey findings include the following:

• notification costs were the highest in the U.S.;
• post-data breach response costs were highest in the U.S. and Germany;
• U.S. organizations paid the highest price for losing customers after a data breach; and
• the Arabian Region had the highest direct costs and the U.S. has the highest indirect costs.