Companies across the world now spend an average of $4m (£2.8m) on every data breach they suffer, with the majority of cash spent on incident forensics and comms, plus legal and regulatory costs.
IBM, working with the independent Ponemon research organisation, found that the average cost to UK companies is £2.5m, or £102 per record lost.
Finance, life sciences, tech, communications and service companies incur the highest cost when their data is breached.
While the cost per record stolen has decreased slightly in the UK, the total cost of data breaches has risen by 6.5 per cent over two years.
Just over half of all breaches in the UK were found to have been from a malicious source, with human error and systems glitches making up around one quarter each.
Even when fewer than 10,000 records are lost or stolen, the cost for a company nears £1m.
The researchers found that the average cost increases the longer that threats go unidentified.
Overall, there were 64 per cent more security incidents reported worldwide in 2015 than in 2014.
Speaking at The Europas conference in London yesterday, KMPG’s Ruth Anderson, director of the company’s cyber security partnership, said: “There are a number of things that our clients struggle with, particularly understanding the nature of the threat today and how that affects their organisational structure. Many are failing to protect themselves.”
She argues that companies need to be more agile in their approach to buying and testing new technology to help detect the growing number of threats presented by things like staff using personal mobile devices.
“You aren’t able to protect your business, fundamentally, so you have to work on detecting threats, essentially seeing into the future. So businesses need to understand who they need work with and how they might do that.”
“You also need to start showing ROI in this area,” she added. “There isn’t the potential for an ever increasing spend anymore.”
Dr. Larry Ponemon simply calls data breaches a “cost of doing business”.
“The evidence shows that this is a permanent cost organisations need to be prepared to deal with and incorporate in their data protection strategies.”