The average cost to UK organizations of a data breach has risen by over 7% over the past two years to reach £2.37 million, or £104 per stolen record, according to the latest Ponemon Institute figures.
The research firm has teamed up once again with IBM to release this year’s Cost of Data Breach Study which comprised stats from 39 breached companies from 12 different sectors.
Unsurprisingly, malicious or criminal attacks were the main cause of such breaches, accounting for 49% of incidents. Some 28% said human error or negligence was the primary factor, while 23% said system failure was the main reason.
Those successfully hit by cybercriminals found their costs much higher per capita (£123) than those experiencing employee error (£92) or system problems (£90).
Once again, those with more lost records paid out more: firms which breached less than 10,000 pieces of data averaged just £1m in losses, while for businesses which lost more than 50,000 records, the cost was £7.13m on average.
It’s also notable that organization experiencing high customer churn were hit by higher data breach costs.
For example, financial services and pharmaceuticals firms – which have high churn – had a per capita cost above the mean, while public services and transportation companies have a per capita cost well below the mean, and also lower “abnormal churn” rates.
The report claimed that costs associated with detection and escalation, as well as lost business, increased last year, but that notification costs decreased.
Extensive use of encryption; incident response plans; business continuity management and board level involvement; employee training; CISO appointment; and insurance protection are all good ideas as they lead to lower breach costs.
However, lost or stolen devices; third party involvement; quick notification of victims; and the use of consultants usually increase costs.
It must be added that the report’s findings are only an estimated calculation – including direct costs such as credit monitoring and forensic help, and indirect costs such as customer loss and in-house investigations.
Indirect costs are notoriously difficult to quantify, especially the potential hit to a company’s brand and shareholder value.
Target, for example, claimed in a quarterly report last year to have spent $148 million, partially offset by insurance, in breach-related costs in Q2 2014 alone.