What does a data protection violation cost?

The Ponemon Institute has published the annual "Cost of a Data Breach" study on behalf of IBM for the 15th time in a row. The study attempts to quantify the consequences of data security breaches. The study attempts to quantify the cost of data breaches for companies of different sizes and industries. The report is well established in the market and shows the historical development of costs in an annual and country comparison. 

The effort required to obtain reliable data is enormous. For the 2020 report, the Ponemon Institute surveyed more than 500 organizations where data security breaches occurred between August 2019 and April 2020. These are companies from 17 countries, of varying sizes and industries. More than 3,000 individual interviews with affected individuals were conducted to collect the data.

The data is therefore highly informative and represents an important benchmark for companies to assess their own financial risk. The global average cost of a data security breach is 3.86 million US dollars. This ranges from more than 8 million US dollars for US companies to just over 1 million US dollars in Brazil. There is, of course, a clear correlation between the economic performance of a country and the affected company.

Remarkable is the average life span of a data security breach, which averages 270 days until detection and removal. A lot of time for the attackers to calmly set up a network, cover their tracks, spread, gather information and then strike in a targeted manner. Not surprisingly, the correlation between this lifespan and the amount of damage caused is

The causes of data security breaches themselves are diverse and range from human error to system failure. However, in more than half of all cases cyber attacks are responsible for the incidents. Compromised user IDs and misconfigurations in the cloud are the main entry points for these malicious data security breaches. Here, the implementation of modern identity and access management, as well as the identification, localization and protection of critical data in hybrid multi cloud environments is an appropriate and effective countermeasure. 

A good 80% of all data security breaches involve personal information. This is where we have the greatest influence on the costs caused by reporting obligations, loss of trust and reputation.

The study not only helps companies to understand the average costs associated with a data security breach. They can also identify which measures reduce or increase these costs and to what extent. This knowledge then enables companies to plan investments in security specifically and based on the actual benefits

For example, a company's ability to respond to incidents by deploying trained incident response teams is the biggest cost-cutting factor.

The most effective way to reduce the cost of data breaches, however, is through technologies such as advanced analysis capabilities, the use of AI and orchestration to identify risks and respond automatically to incidents. 

On the other side of the list are complex security landscapes as the biggest cost driver for data breaches. Here, companies can significantly reduce their risk by consolidating and modernizing their security infrastructure. 

The study shows many regional and industry-specific connections, of which we could only present a few here. A look at the study is worthwhile for anyone responsible for security programs or investments. 

A document on this subject is available in German. Would you like to read it? Switch to the German view.