According to the IBM report, it now takes 197 days to identify a breach and 69 days to contain it. <…> Entertainment and healthcare organizations take the longest time to discover and contain a breach – averaging more than 300 days – while financial services and energy sectors were quickest at discovery and remediation.
Time is money and being slow to detect and contain a breach can be costly. Taking more than 100 days to discover a breach could add as much as $1 million to the final bill. Likewise taking longer than 30 days to contain the breach once discovered can also add over $1 million to costs. Investment in monitoring and forensics capabilities could be valuable in the long run.
The size of your average data breach is now 24,615 records; an increase of 2.2 percent compared to 2017. Each record lost costs around $148 on average globally, while in the US that figure rises to $233. The final cost per record can be impacted by a number of factors relating to how well-prepared an organization is and how well it reacts to a breach.
Given the highly sensitive and regulated nature of the data they manage it should come as little surprise that the health and financial sectors face the largest costs per record; up to $400 each.
A significant outlay organizations are faced with post-breach is notification costs. These include the creation of contact databases, determining regulatory requirement, consultancy fees, postal expenditures, email bounce-backs, and more. India has the lowest notification costs at just $20,000, while the U.S. has the highest at $740,000 per breach, largely due to data breach notification regulations.
However, now that the European Union’s regulation is in effect, companies are likely to see “huge increases throughout the world” in the future when it comes to notification costs. One key thing with GDPR is you have that 72-hour disclosure window. And that time can go by very, very fast. Folks really need to understand the need for preparation.”
Mega breaches can incur large indirect costs
According to IBM a ”mega-breach” of 1 million records could cost a company $40 million, while the loss of 50 million records might lose a company $350 million.
“If you’re a company who loses fifty million records, first and foremost there’s an expectation that you’re likely a very large company who certainly has the financial means to be able to put an adequate level of protection in place. Folks will look at that and say that is a catastrophic failure, and clients are going to make an alternative choice of who they do business with as a result.”