A new global study conducted by IBM suggests the financial impact of a data breach for an organization is, on average, $3.86 million.
However, in the worst cases, "mega breaches" may cost the enterprise between $40 million and $350 million.
IBM's 2018 Cost of a Data Breach Study, conducted in conjunction with the Ponemon Institute, suggests that the cost can become this high not due to the obvious damage caused by systems -- or the theft of information at the time of a breach -- but rather due to more subtle expenses incurred by an organization.
A loss of reputation may deter potential future customers, current business relationships may falter, and the time employees must spend on damage control -- as well as retraining and education -- may all rack up the bill.
According to the study, the average cost of a data breach, $3.86 million, has increased by 6.4 percent from 2017.
After interviewing close to 500 companies which have experienced a data breach, the study calculated that this is the average cost when under 100,000 records are compromised in a cybersecurity incident.
The average time it took to uncover a data breach is 197 days, and once identified, it takes roughly 69 days to contain.
However, the speed of incident response teams can have a huge impact on the overall cost of a data breach.
When a breach is contained in less than a month, IBM suggests businesses may be able to save up to $1 million in comparison to slower companies.
TechRepublic: 73% of orgs have only 1 person updating their systems, increasing ransomware risk
The amount of records stolen also has an effect. On average, each record costs $148, but this cost can be mitigated by having an incident response team on hand, as well as by implementing artificial intelligence (AI)-based cybersecurity solutions.
"Organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach," IBM says.
The study has also examined the cost of so-called "mega breaches," in which cyberattacks result in the loss of one million to 50 million records. In these cases, enterprise players can expect to lose between $40 million and $350 million -- but one-third of this estimated cost is caused by lost business.
See also: The return of Spectre
A recent IBM/Harris poll suggested that 75 percent of US consumers would not do business with a company they did not believe would take adequate measures to protect their data. When you consider that this aversion may be for years -- or permanent -- the true cost of data breaches to an organization may be incalculable.
Based on 11 companies experiencing this level of a data breach in the past two years -- such as Equifax and Target -- the study suggests that the majority of these security incidents are malicious rather than caused by human error, and the average time to detect and contain a breach was 365 days.
"While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS). "The truth is there are many hidden expenses which must be taken into account such as reputational damage, customer turnover, and operational costs."
"Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," the executive added.
CNET: Macy's breach exposed customer data, credit card numbers