Study Finds Average Cost of Enterprise Breaches on the Rise
The average cost of corporate security breaches has raised 23 percent over the last two years, according to a report by IBM and Ponemon Institute.
The report, named 2015 Cost of Data Breach Study: Global Analysis, looked at 350 companies in 11 different countries and found that the average total cost of an intrusion incident has topped $3.8 million.
When trying to pinpoint why the cost has increased so dramatically in the last couple of years, Larry Ponemon, founder and chairman of the Ponemon Institute, said that his team found three major factors that were in play.
"First, cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents," said Ponemon. "Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."
Breaking down the different average costs per country, the report found that the U.S. has the highest average organizational cost per incident at $6.5 million and Germany came in second at $4.9 million. Both Brazil and India got off the lightest with an organizational cost per incident of $1.8 million in the former and $1.5 million in the latter.
While the U.S. may have the highest cost, the report found that Brazilian and French companies were the most likely at risk to incur one or more breaches in the next 24 months, while Canada and Germany are the least likely. While location does play a part, the report was quick to point out that the specific industry may be more important.
For the first time in the annual reporting, both IBM and Ponemon Institute also studied the average time it takes for an enterprise to spot a network breach. In maliciously driven incidents, the average time it takes to discover an attacker has breached a system is 256 days, while those incidents caused by human error take 158 days to identify.
The long period of time before a breach is discovered can be attributed to a lack of cooperation and an unwillingness by many IT shops to use the best security tools out there, according to IBM's Marc van Zadelhoff, VP of strategy for the company. "The industry needs to organize at the same level as hackers to help defend themselves from these continuing attacks. The use of advanced analytics, sharing threat intelligence data and collaborating across the industry will help to even the playing field against attackers while helping mitigate the cost to commerce and society."
For its part, Microsoft is aiming to limit both the amount of security breaches and the time it takes to discover those already inside with its recently announced Advance Threat Analytics (ATA) tool, currently available in preview.