Mar 14 2016

How much does a cyber breach cost?

How much does a data breach actually cost? IBM sponsored the Ponemon Institute to research (the report can be viewed at and answer the question “What is the cost of a cyber breach in 2015?” The research encompassed over 350 organizations across 11 countries. The question is a complex one, with many interconnected factors such as:

  • Size of the company: small, medium, large, enterprise
  • Industry of the company: retail, healthcare, manufacturing, etc.
  • Regulations that apply to the specific industry
  • The business’ proprietary information
  • Reputation

Some of the key findings from the white paper are:

  • The average cost of a breach is $3.8 million
  • The average cost per stolen record is between $145 and $154

Costs vary per industry and country involved:

  • The U.S. has the highest per record costs, averaging $217
  • The average number of records stolen per incident is 28,000
  • The average cost for a U.S. cyber breach is over $6 million
  • Health per record cost: $363
  • Pharma per record: $220
  • Financial services per record: $215
  • Manufacturing per record: $155

The elements used to determine the costs were direct and indirect expenses:

  • Engaging a forensic expert
  • Outsourcing hotline support
  • In-house investigations
  • Communication
  • Decreased revenues from customer loss
  • Increased cost to create new customers

According to First Data Corporation’s report, Small Business Cost of a Data Breach, small businesses experience on average a 30% loss of customers due to a breach.

Direct and indirect costs represent a higher percentage of  small business’ revenue. A small biotech developing a new drug, treatment, or device likely cannot afford a breach. The loss of intellectual property can destroy the business.

Businesses cannot afford to disregard cybersecurity. The average cost of a cyber breach can devastate a business, especially a small business. Organizations must become more security conscious and test their networks and processes regularly to ensure they can withstand a potential incident. They must create a security plan as well as a disaster recovery plan. Businesses must be remain vigilant to keep out the criminals trying to break in. As the saying goes, an ounce of prevention is worth a pound of cure.