Data Breach Spotlight: The soaring costs and how to avoid them

Data Breach Spotlight The soaring costs and how to avoid them IBM Blog

The soaring costs of a data breach

When the data systems of British Airways’ were recently compromised, the courts awarded a record £183m fine against them.

It could have been far worse; under Europe’s General Data Protection Regulation (GDPR), they faced a fine of up to 4% of annual turnover, or half-a-billion pounds.

If you’re running a small business, the consequences can be relatively even worse, with the breach alone typical costing up to 5% of annual revenue, a loss of more than £2m on average.

Following the introduction of tougher legislation and the growing complexity of resolving criminal cyberattacks, data breach costs have risen 12% over the past five years to a global average of £3.2m.


The hidden costs

Data breaches are getting bigger.

The average size has increased 3.6% in the last year. The average size of a data breach is now 25,575 records, at a cost of around $150 per record lost

In 2018, the misconfiguration of cloud servers contributed to the exposure of 990 million records, representing 43% of all lost records for that year. In the past 3 years alone, over 11.7 billion records have been lost or stolen.

Worse still, it can seriously affect an organisation’s reputation for years, leading to lost business. The financial costs themselves can be remarkably open ended.

In the year following the breach, an average 67% of the cost is still being paid out. A year later, companies are still facing an average 22% payment. In the third year, it’s 11%.

For highly regulated business, such as financial services, pharmaceuticals, healthcare, and energy, the longtail costs in the second and third years are actually higher.


Unhealthy costs

For almost a decade now, healthcare organisations have suffered the most from data breaches.

The average cost of more than $6.5 million per breach is 60% higher than cross-industry figures.

Generally, data breaches in the US tend to be the most expensive at $8.19 million, more than double the worldwide average. That’s an increase of more than 130% over the past 14 years.

Yet as we’ve already seen, other countries, such as the UK, are swiftly catching up.

With a 10.56% increase on the previous year, the average data breach cost is now £2.99m, double the cost of ten years ago.

The Middle East reported the highest average number of breached records, with nearly 40,000 breached records per incident, compared to global average of around 25,500.


Third party problems

If you’re not closely vetting the security of the organisations you’re doing business with, you’re neither secure nor safe from substantial costs.

Just the opposite, in fact.

Data breaches resulting from a third-party partner are likely to cost an extra $370,000 on average.

So make sure you align security standards, while also actively monitoring access of your partners and suppliers.


Mega and malicious breeches

When more than a million records are lost, it’s called a mega breach.

Of course, they also come with mega costs.

Such breaches cost companies around $42m in losses.

Where more than 50 million records are lost, the average cost to companies is $388m.

Almost half of all data breaches are caused by human error or system glitches, coming in at an average cost to companies of around $3.50m.

However, data breaches originating from a malicious cyberattack cost companies $1 million more on average than those originating from accidental causes.

These breaches are not only the most expensive to deal with but are also increasingly the most common.

51% of data breaches are the result of malicious attacks, up from 42% (a 21% increase) in the past six years, costing companies an average $4.45 million.


The data breach lifecycle

The average lifecycle of a breach is 279 days.

For a malicious attack, it’s more usually around 314 days before it’s finally contained.

It normally takes a company around 206 days simply to first identify a breach, then an additional 73 days to contain it.

Yet in many countries the mean time to detect and contain a breach is increasing. In the UK, for instance, in the last year it has jumped up from an already appalling 227 days to an even worse 243 days.

Why is this important?

Companies who detect and contain a breach in less than 200 days spend $1.2 million less on the total cost of a breach.

In other words, the speed and efficiency with which a company responds to a breach has a significant impact on the overall cost.



The formation of an incident response team reduces the cost of a data breach by an average of $360,000.

Moreover, if the team regularly and extensively tests their incident response plan, the average cost per breach is $1.23m less than those with neither measure in place.

Similarly, companies fully deploying security automation technologies experience average costs of $2.65m for a breach. That’s around half the costs ($5.16m average) suffered by organisations who’ve ignored such innovations.

The extensive use of encryption is a top cost saving factor, reducing the total cost of a breach by $360,000.


Next steps

Despite the introduction of tougher legislation, a great many companies remain woefully unaware of the full financial impact that a data breach can have on their businesses.

And yet in many cases the substantial costs involved could be significantly reduced through technology investments, security awareness training for staff, and a regular testing of services to identify breaches at the earliest date.

You can prepare your business to address risks and speed up the process for uncovering threats. You can also prove compliance by staying up to date with industry standards and ingraining security into your organisation’s systems.

Do you agree it’s time to rethink your approach to cybersecurity?

Then explore IBM Security solutions here.

Related content


Five tips for staying ahead of cyber security threats


The advantages of cloud-based security


British Airways data breach leads to record penalty

Back to top