Ponemon Breach Cost Report 2019
For the past 14 years, Ponemon Institute has released reports on the costs associated with a breach. This information is incredibly valuable for all security practitioners because it informs budget, areas of focus, and return on investment for security initiatives ; including information specific to your industry vertical.
While the Ponemon report is incredibly thorough, we’ll summarize five key areas:
- Average Total Breach Costs
- Breach Probability
- Root Cause
- Per Capita Costs
- Ways to Reduce Breach Cost Exposure
Average Total Breach Costs
Average total breach costs are based on a data loss equivalent to 10,000 records of data, comprised of PII, PCI, PHI, and Intellectual Property. Total breach costs in the past 4 years initially declined, but has climbed back to 2016’s high of $4 million. That’s a global average; in the United States, average breach cost in 2019 was $8.19 million.
Four contributors to total breach cost are Lost Business, Detection and Escalation, Post-breach Response, and Notifications.
- Lost Business: lost business is due to lack of customer trust, and is the biggest contributor to breach costs, representing 36% of the total. A breached company with abnormal customer turnover rate of 4% experienced a total breach cost of $5.7 million – 45% greater than the overall average cost of a breach.
- Detection and Escalation: these are the activities that enable the company to realize a breach has occurred, and to notify the appropriate personnel in a preconceived escalation process. 24×7 monitoring is critical for these activities, reducing Mean Time To Identify (MTTI) a breach to hours if not minutes. Overall MTTI in 2019 was 206 days, which can more than double breach cost exposure.
- Post-breach Response: these are containment and remediation efforts, processes to help customers affected by the breach, reparations and fines due to regulatory failures, such as for data subjects and regulatory bodies.
- Notifications: communications with individuals affected by the breach is necessary; roles and responsibilities should be established to control interactions with the media.
Among the most interesting of information contained in the Ponemon report is prediction of breach probability. Based on the experiences of over 500 companies in their research, breach probability is based on the number of data records lost and the country or region of the incident. In countries such as South Africa, India and Brazil, the likelihood of a breach occurring in the next 24 months can be 40%; the global average is 29.6 % for a loss equivalent to a data breach of 10,000 records. Breach probability has been trending up over the 14-year span Ponemon has conducted this research.
As the potential volume of data records lost increases, probability decreases.
Root cause is evaluated in three categories:
- Malicious or Criminal Attack
- Human Error
- System Glitch
While incidence of Malicious or Criminal Attack has steadily risen over the years, Human Error has decreased, as has System Glitch. Threat Actor activities result in higher breach costs than the other two categories.
Per Capita Cost
One of the more fascinating and valuable metrics from the Ponemon report is Per Capita Cost. This is the value of a single data record’s loss, split out by industry vertical, and allows for computation of breach cost exposure and probability by enabling assignment of the cost of a single record’s loss to the 29.6% likelihood of a breach of 10,000 records. For example, in the health vertical, that figures out to an average breach cost exposure of $4.29 million, twice the exposure of the Financial vertical.
|Average Pct Change||-27.18%|
It’s very interesting to note that while the Health vertical’s per capita cost has steadily risen, most others show only modest increases or declines. The past 4 years show a 27% decline in per capita rates overall. At the same time, total breach costs and malicious activities have steadily increased.
Ways to Reduce Breach Cost Exposure
Among the most valuable metrics in the Ponemon report are the ones detailed below, because you can compare them to your own security maturity and strategy to prioritize what initiatives to tackle. For example, continuing the 10,000-record loss idea as a baseline, establishment of an Incident Response Team saves you $13.66 per capita, reducing breach cost by $136,600. Extensive use of encryption and having a solid Business Continuity Plan saves another $258,400. The more records lost, the more these activities save. Consider the possibility of a mega breach of 1,000,000 or more records – those same 3 activities represent a cost reduction of over $53 million — the financial viability of these activities becomes very apparent.
Also of note are activities that actually add to breach cost exposure, such as 3rd Party Breach and Compliance Failures;it pays to vet and audit the security of your vendors and remain compliant with regulatory requirements you may have.
- While 2017 saw a significant drop in average breach costs, the past 2 years have shown a steady increase back to 2016 levels of $4 million.
- Breach probability has steadily increased over the years to a 2019 level of a 29.6% likelihood over the next 24 months.
- Compared to Human Error and System Glitch, Malicious or Criminal Attacks have increased steadily and significantly over the past 6 years.
- While overall per capita breach costs have declined 27% over the past 4 years, verticals like Health and Financial have shown a dramatic increase – and overall breach costs have still increased.
- There are obvious financial advantages to continue building your security program’s maturity.
Even though per capita breach costs have declined, presumably due to security controls and technologies being deployed, increases in threat actor activity have caused overall breach costs to rise over the past several years. This demonstrates that more should be done to increase security program maturity. Contact Cipher to let us tell you how we can help!