Your business hit by a data breach? Expect a bill of $3.92 million

Large enterprises may have to foot a far higher bill after a security incident.
Written by Charlie Osborne, Contributing Writer

The average financial impact of a data breach continues to rise and now can cost the average business up to $3.92 million, according to new research.

Data breaches have become such a common occurrence that hardly a week goes by when a business, organization, government department, bank, or educational establishment does not admit to the existence of one in their networks or systems. 

While the financial penalties can vary depending on the size of a business, a data breach can wreak havoc and the long-term cost may not be immediately apparent. 

On Tuesday, IBM Security released its annual study, the Cost of a Data Breach Report, to estimate both the immediate and ongoing expense of a data breach. According to the company, the cost of a data breach has risen by 12 percent over the course of five years, and organizations can expect to pay an average of $3.92 million. 

Businesses with less than 500 members of staff suffered losses of over $2.5 million on average, and for smaller firms, this can equate to a substantial slice of their yearly revenue. 

IBM says that this expense — which can be caused by the hire of third-party cyber forensics firms, legal costs, rapid investment in shoring up security, and potentially both compensation payments and government-issued penalties — may not always be immediate, glaring red strikes on a balance sheet. 

See also: Equifax, regulators sign $700m deal to settle data breach lawsuits

Instead, the true damage and cost of a data breach can be felt for years. The report says that, on average, 67 percent of expenses are realized during the first 12 months post-breach; 22 percent accrued during the second year, and 11 percent can take over two years to become apparent. 

The healthcare, financial services, pharmaceutical industry, and energy companies are the most likely to face additional costs over time. In addition, geography can make a difference -- as companies based in the US can also expect a higher bill to rectify the damage a data breach causes. On average, costs can reach up to $8.19 million. 

Companies face a penalty of up to $150 per record stolen. When over one million records have been stolen, for example, this can cost up to $42 million -- and 50 million records may result in a bill of up to $388 million. 


According to the report, it takes an organization 206 days to discover a data breach and a further 73 days to completely contain it. 

CNET: Huawei ban: Full timeline on how and why its phones are under fire

In today's world, it is not just a full-on, malicious attack which companies need to worry about -- a lack of training can ensure any employee could innocently open up a phishing email and unwittingly become the source of a breach.

However, IBM says that malicious data breaches are still more common than those caused by system errors or human folly, accounting for 49 percent of recorded security incidents. In addition, malicious attacks average over $1 million more than accidental data breaches. 


TechRepublic: 40% of enterprises experienced Office 365 credential theft, report finds

The consequences of a data breach and the loss of consumer or sensitive, corporate information can be severe, as highlighted by Equifax this week. The credit monitoring agency became subject to a data breach back in 2017 which led to the compromise of data belonging to 146 million users. 

Equifax has now agreed to pay at least $575 million, and potentially up to $700 million, in damages, as well as provide a settlement fund of at least $300 million for impacted customers. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards