Bad news and good news emerged from the Ponemon Institute’s 2015 Cost of a Data Breach study, released in May: breach costs continue to rise, but security measures such as creating a data breach response team can significantly curb the costs of a data breach.
The study found that the average total cost of a data breach climbed from $3.52 million in 2014 to $3.79 million in 2015, and the average cost per breached record jumped $9. Since the 2013 study, total breach costs jumped 23 percent and per capita costs rose 12 percent. Certain industries experience higher costs when a breach occurs.
The study attributes the escalating costs to three main factors. First, cyberattacks are occurring more frequently; cyberattacks now account for nearly half of all breaches. Increased consumer awareness of data breaches has contributed to loss of business—and all the associated costs—that a company experiences in the wake of a data breach. Finally, companies are paying more to detect, investigate and manage a breach—nearly $1 million per breach on average.
Ponemon’s data underscores an important lesson that more companies are taking to heart: data breach management must be as much about reducing costs at the remediation phase as it is about minimizing the risks of a breach occurring. Just as you take steps to prevent a breach, you must also be prepared to deal with one as cost effectively as possible when it does occur.
Fortunately, the data also shows that being proactive pays off. Data breach preparedness tactics such as creating an incident response team, business continuity management, insurance protection, board-level involvement, widespread use of encryption, employee training and having a chief information systems officer can all decrease the per capita cost of a data breach, Ponemon reports.
Having an incident response team delivered the greatest cost savings—a reduction of $12.60 per breached record. Business continuity management reduces the per capita cost by $7.10, and insurance cuts $4.40 off the cost. For large businesses that may deal with breaches involving thousands or even millions of records, these savings add up. For smaller businesses, cost reductions could be the difference between staying afloat or going under in the wake of a breach.
Based on Ponemon’s study, the course of action is clear; companies looking to control post-breach costs need to act before a breach occurs. Must-do measures include:
- Create an incident response team and a data breach response plan.
- Update and test the plan regularly.
- Employ strong encryption through all key business systems.
- Conduct regular employee training on data breach prevention and response measures.
- Establish a CISO.
- Engage in business continuity management.
- Involve the board in preparedness and response plans.
- Secure insurance.
The raw data also implies another important aspect of controlling costs after a data breach. The more effective and efficient your data breach response, the better your chances of mitigating the potential reputational damages that lead to loss of business. Customers who decamp because of poor data breach management not only take real dollars away from a business, they also impact future earnings as they use social media and other channels to communicate their negative experience to potential new customers.
Data breach preparation should continue to be a top priority for companies of every size. It’s unlikely risks and costs will shrink on their own any time soon, but Ponemon’s study confirms what many in the data breach response industry have long known: preparation pays off.