Larry Ponemon surveys companies every year to see how cost of dealing with breaches is trending. This year shows, among other things, that it costs companies an average of $217 per record breached. That means, on average, a small breach of say 10,000 records still costs $2 million. If you assume his numbers are high, half of that is still $1 million. Absent insurance, that is a large check to write.
Statistics from the report (see here, registration may be required) include:
- Cost per record breached has been around $210 +/- 5% since 2008. While it is good that the cost per record is not going up, total records last year were over 1 billion, so that is still a large check for people to write.
- Average total organizational cost is also basically flat since 2008 – in the $5 mil to $7 mil range per breach. This number is trending up a little bit over the last 4 years (up $1 mil from 2012, but down from the very highest year, 2011, which was $7.24 mil).
- Cost per record does vary by industry. Healthcare was the highest at $398 per record; public sector the lowest at $73 (the public sector is likely the lowest because you cannot sue city hall – at least not successfully). Other sectors were in the middle – financial at $259, services at $219, industrial at $190 and retail at $189, for example.
- 49% were caused by a malicious attack and 32% were caused by system or business process failures. The rest were attributed to human error (19%).
- Factors that influence the average cost per breached record include having an incident response team – $23.8 less, using encryption throughout – $19 less and board involvement – $9.8 less. On the other hand, lost and stolen devices adds $12 and if third parties are involved it adds $29.
- Churn (loss of customers) has a very big effect on average total cost. For companies with less than 1% churn, the average total cost is $5.5 mil, for companies with more than 4% churn, the average cost is $12.7 million – more than double.
The report has many other statistics, these are just a few of the highlights. Please click on the link above to see the report.