Cyber Attacks Raise Cost of Data Breach, IBM/Ponemon Study Shows

The price of a data breach keeps going up—and up and up, according to the 2015 Ponemon Cost of Data Breach Study: Global Analysis, sponsored by IBM. In fact, the average consolidated total cost has increased 23 percent from two years ago, to a record-breaking $3.8 million.

“Based on our field research, we identified three major reasons why the cost keeps climbing,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute in a news release announcing the study’s findings. “First, cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management.”

The study covered 16 industries in 11 countries. Of the 16, healthcare had highest the per capita cost: $363. If attacks are increasing the cost of data breach, and healthcare has the highest per capita cost, we can infer that cyber attacks are a factor in the high cost of healthcare data breaches.

Similar discoveries were made in the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, also conducted by Ponemon Institute, which found that criminal attacks are up 125 percent since 2010. “For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches,” Dr. Ponemon said in a Dark Reading article.

Hackers and criminal insiders were also the primary cause of data breaches in the IBM/Ponemon study, at 47 percent. It costs significantly more to resolve these types of attacks—$170 per record. On the other hand, system glitches cost $142 per record and human error or negligence is $137 per record.

For the first time, [the IBM/Ponemon] study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences, according to the press release. It takes nearly 100 more days on average to identify malicious attacks versus breaches caused by human error.

Despite the increasing threats and costs, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data found that half of all healthcare organizations have little or no confidence in their ability to detect all patient data loss or theft. In addition, only 40 percent of covered entities and 35 percent of business associates are concerned about cyber attackers.

But we must be concerned. Criminals will only grow more sophisticated and determined to either cash in on or otherwise leverage sensitive data to gain their nefarious ends. As a result, security incidents have become an everyday cost of business—and nearly every organization will experience a data breach (or two or three) at some point. While we can’t prevent them all, we can take steps to lower the cost and other consequences of an incident or data breach:

1. Embed an effective incident response process into our data governance model. Perhaps the most critical part of this is a consistent, compliant method for performing incident risk assessments—the process of determining if a security incident is legally a data breach that requires notification.
2. Consider cyber liability or data breach insurance. These types of insurance vary significantly among carriers, so it’s important to shop carefully. The right coverage can greatly relieve the financial burden of a larger data breach on healthcare or medium-sized organizations. Remember, however, that insurance carriers are not necessarily data breach or cyber experts who know the best methods for breach response.

Only as we take these and other proactive steps can we contain the rising costs of data breach—monetary and otherwise.

Learn more about the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data