A new report reveals the financial burden resulting from breach of data, with devastating impact on small and midsize businesses.
According to the report, the overall cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.
For the healthcare sector, data breaches cost an average of $6.5 million, about three times more per record than all other sectors, according to the report by Ponemon Institute, sponsored by IBM. This represents a 5% increase in healthcare in the past year, meaning health providers will spend $429 per lost or stolen record – up from $408 per record in 2018.
"Technology, innovation and automation are changing the very nature of your work. We are entering an era where the possibility for distrust is heightened,” Travis Mills of LibertyID told PNN. “Innovative leaders are driven by decency and acceptance. The loss of customer trust has serious financial consequences, and lost business is the largest of four major cost categories contributing to the total cost of a data breach for physicians.”
In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average – a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.
Additionally, findings show the longtail financial impact of a data breach, and the effects are felt for years. While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year, and another 11% accumulated more than two years after a breach. The longtail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.
“Regulatory compliance is not enough. You may be in "full compliance" and still be fined by Health and Human Services’ watchdog division, the Office for Civil Rights, as well as being sued in class action by your patients and losing all for which you have worked,” according to Mills.
The study found that data breaches that originated from a malicious cyberattack were not only the most common root cause of a breach, but also the most expensive.
Malicious data breaches cost companies in the study $4.45 million on average – over $1 million more than those originating from accidental causes such as system glitch and human error. These breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (a 21% increase).
Inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 million and $3.24 million respectively. These breaches from human and machine error represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on. One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year according to the IBM X-Force Threat Intelligence Index5.
A focus on incident response can help reduce the time it takes companies to respond, and the study found that these measures also had a direct correlation with overall costs. Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost-saving factors examined in the study. Companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs. $4.74 million).
Physicians, physician groups, clinics and hospitals must have a plan in place before a data breach happens to them, a plan that not only assures they are in lockstep with compliance, but also living in the reality of acceptance, Mills added. Monitoring after the fact is useless; you must have a plan that fixes the issues related to data breach for your patients. A human-to-human solution is required to avoid costly, business-disrupting, career-ending fallout from a data breach at your practice."