Barely a week goes by in 2017 without some kind of IT failure hitting the headlines – but a new report from IBM and Ponemon brings better news for CIOs, at least if you work in the UK.
Analysis of 40 companies in 13 industries reveals that the price of a typical data breach in Britain has dropped by two per cent, from £2.53m in 2016 to £2.49m in 2017. The cost per breached record dropped too, from £102 to £98 (four per cent).
The report details a few reasons for why that might be:
- One of the biggest indirect costs of a breach is the loss of customers, known as abnormal churn, which declined by eight per cent this year.
- The average size of the data breach decreased by five per cent, which may help to explain why businesses lost fewer customers.
- The time it took to identify breaches dropped from 201 days to 191 on average, while the time it took to contain the breach fell from 70 days to 66.
Companies that suffer from less costly attacks share certain characteristics, according to the report, including:
- The employment of an incident response team. This is the biggest factor in bringing down the cost of a breach, saving £13.20 per breached record.
- Extensive use of encryption saves companies £11.10 per breached record.
- Having chief information security and privacy officers on the staff also brings down the cost of breaches.
On the flipside, these are the factors that contribute to more expensive breaches:
- Working with third parties costs £10.40 per breached record.
- Compliance failures cost £9.80 per breached record
- Extensive cloud migration costs £7.50 per breached record.
- Extensive use of mobile platforms costs £6.70 per breached record.
- Lost or stolen devices costs £5.70 per breached record.
The report also breaks down the cost by industry. The financial sector’s breaches are, unsurprisingly, the most expensive, costing £154 per breached record, with the tech sector’s a close second at £141. Breaches in the transport and public sectors are the least expensive, costing £67 and £59 respectively.
Beyond the UK, Europe saw a decrease in the total cost data breaches of more than 26 per cent from $4.24m to $3.27m, while in the US, the cost of breaches grew by 5 per cent from $7.01m to $7.35m.
The report attributes the disparity to the different regulatory requirements in the US and Europe. US retail giant Target, for example, recently paid an $18.5m (£14.7m) legal settlements to 47 states following their 2013 data breach.
With the EU’s General Data Protection Regulation coming into force next year, European firms may find their advantage over the Americans short-lived. Under the new rules, firms could be fined up to €20m (£17.6m) or 4 per cent of annual global turnover, whichever is higher.